{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15869482, "eventType": "EppDetectionSummaryEvent", "eventCreationTime": 1770050645000, "version": "1.0"}, "event": {"ProcessStartTime": 1770050583, "ProcessEndTime": 1770050583, "ProcessId": 9706137837438, "ParentProcessId": 9706132454632, "Hostname": "CROWDFAL2", "UserName": "Administrator", "Name": "Suspicious Activity", "Description": "For evaluation only - benign, no action needed.", "Severity": 30, "SeverityName": "Low", "FileName": "choice.exe", "FilePath": "\\Device\\HarddiskVolume2\\Windows\\System32\\choice.exe", "CommandLine": "choice  /m crowdstrike_sample_detection", "SHA256String": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5String": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SHA1String": "0000000000000000000000000000000000000000", "LogonDomain": "CROWDFAL2", "FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/3061c7ff3b634e22b38274d4b586558e:ind:9a58cd4397bb4a2abadf0189e36ab0e7:9706137837438-10197-2137721104?_cid=g03000lcf73zmc2nbaploaxbwbj4zvsu", "AgentId": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:9a58cd4397bb4a2abadf0189e36ab0e7:9706137837438-10197-2137721104", "LocalIP": "10.1.17.4", "MACAddress": "00-50-56-aa-8c-eb", "Tactic": "Malware", "Technique": "Malicious File", "Objective": "Falcon Detection Method", "PatternDispositionDescription": "Detection, standard detection.", "PatternDispositionValue": 0, "PatternDispositionFlags": {"Indicator": false, "Detect": false, "InddetMask": false, "SensorOnly": false, "Rooting": false, "KillProcess": false, "KillSubProcess": false, "QuarantineMachine": false, "QuarantineFile": false, "PolicyDisabled": false, "KillParent": false, "OperationBlocked": false, "ProcessBlocked": false, "RegistryOperationBlocked": false, "CriticalProcessDisabled": false, "BootupSafeguardEnabled": false, "FsOperationBlocked": false, "HandleOperationDowngraded": false, "KillActionFailed": false, "BlockingUnsupportedOrDisabled": false, "SuspendProcess": false, "SuspendParent": false, "ContainmentFileSystem": false}, "ParentImageFileName": "cmd.exe", "ParentCommandLine": "C:\\Windows\\SYSTEM32\\cmd.exe /c \"\"C:\\CS_script.bat\"\"", "GrandParentImageFileName": "svchost.exe", "GrandParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs", "HostGroups": "0ebde3fe33d547fc9bbe24f50be44da8,fd63f5073f644377a8150e9c1e5a86d0", "PatternId": 10197, "SourceVendors": "CrowdStrike", "SourceProducts": "Falcon Insight", "DataDomains": "Endpoint", "AggregateId": "aggind:9a58cd4397bb4a2abadf0189e36ab0e7:3895775132886", "Type": "ldt", "ParentImageFilePath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", "GrandParentImageFilePath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "LocalIPv6": "", "PlatformId": "0", "PlatformName": "Windows", "MitreAttack": [{"Tactic": "Malware", "TacticID": "CSTA0001", "Technique": "Malicious File", "TechniqueID": "CST0001", "PatternID": 10197}], "CloudIndicator": false, "RiskScore": 40}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15848938, "eventType": "EppDetectionSummaryEvent", "eventCreationTime": 1769908584000, "version": "1.0"}, "event": {"ProcessStartTime": 1769908521, "ProcessEndTime": 1769908524, "ProcessId": 3696193752940, "ParentProcessId": 3696188895294, "Hostname": "WIN-DC", "UserName": "kennyb", "Name": "Attacker Methodology", "Description": "A suspicious process was identified by CrowdStrike. Review the process tree.", "Severity": 10, "SeverityName": "Informational", "FileName": "powershell.exe", "FilePath": "\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "CommandLine": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMACgBJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADcAOAAuADAAMAAxAC0AMQAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA=", "SHA256String": "ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436", "MD5String": "097ce5761c89434367598b34fe32893b", "SHA1String": "0000000000000000000000000000000000000000", "LogonDomain": "ATTACKRANGE", "FilesAccessed": [{"Timestamp": 1769908526, "FileName": "atc_execution.csv", "FilePath": "\\Device\\HarddiskVolume1\\AtomicRedTeam"}], "FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/3061c7ff3b634e22b38274d4b586558e:ind:32f2ea74cc134492a46168403db2f25c:3696193752940-10417-123040016?_cid=g03000lcf73zmc2nbaploaxbwbj4zvsu", "AgentId": "32f2ea74cc134492a46168403db2f25c", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:32f2ea74cc134492a46168403db2f25c:3696193752940-10417-123040016", "LocalIP": "10.0.1.14", "MACAddress": "0a-ff-f4-1c-79-5b", "Tactic": "Execution", "Technique": "User Execution", "Objective": "Follow Through", "PatternDispositionDescription": "Detection, standard detection.", "PatternDispositionValue": 0, "PatternDispositionFlags": {"Indicator": false, "Detect": false, "InddetMask": false, "SensorOnly": false, "Rooting": false, "KillProcess": false, "KillSubProcess": false, "QuarantineMachine": false, "QuarantineFile": false, "PolicyDisabled": false, "KillParent": false, "OperationBlocked": false, "ProcessBlocked": false, "RegistryOperationBlocked": false, "CriticalProcessDisabled": false, "BootupSafeguardEnabled": false, "FsOperationBlocked": false, "HandleOperationDowngraded": false, "KillActionFailed": false, "BlockingUnsupportedOrDisabled": false, "SuspendProcess": false, "SuspendParent": false, "ContainmentFileSystem": false}, "ParentImageFileName": "powershell.exe", "ParentCommandLine": "powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand CgAgACAAIAAgACYAYwBoAGMAcAAuAGMAbwBtACAANgA1ADAAMAAxACAAPgAgACQAbgB1AGwAbAAKACAAIAAgACAAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQAKACAAIAAgACAAJABzAHAAbABpAHQAXwBwAGEAcgB0AHMAIAA9ACAAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByAC4AUwBwAGwAaQB0ACgAQAAoACIAYAAwAGAAMABgADAAYAAwACIAKQAsACAAMgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBSAGUAbQBvAHYAZQBFAG0AcAB0AHkARQBuAHQAcgBpAGUAcwApAAoAIAAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAGoAcwBvAG4AXwByAGEAdwAgAC0AVgBhAGwAdQBlACAAJABzAHAAbABpAHQAXwBwAGEAcgB0AHMAWwAxAF0ACgAgACAAIAAgACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAIAAgACAAIAAmACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIACgA=", "GrandParentImageFileName": "powershell.exe", "GrandParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==", "HostGroups": "56778db51dd04051a0dbd0f18d1077ea", "Tags": "FalconGroupingTags/S2PL", "PatternId": 10417, "SourceVendors": "CrowdStrike", "SourceProducts": "Falcon Insight", "DataDomains": "Endpoint", "AggregateId": "aggind:32f2ea74cc134492a46168403db2f25c:83207884994", "Type": "ldt", "ParentImageFilePath": "\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "GrandParentImageFilePath": "\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "LocalIPv6": "", "PlatformId": "0", "PlatformName": "Windows", "MitreAttack": [{"Tactic": "Execution", "TacticID": "TA0002", "Technique": "User Execution", "TechniqueID": "T1204", "PatternID": 10417}], "CloudIndicator": false, "RiskScore": 10}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15917232, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770378512000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770295507156, "EndTimeEpoch": 1770378450620, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "5d318452cb0e472e92305149662351c9", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|5d318452cb0e472e92305149662351c9-368cb6ce93bc48ea83076e840720b06a"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15916047, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770370031000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770287106075, "EndTimeEpoch": 1770369969263, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "6164a3077a18448a86399b9af7428829", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|6164a3077a18448a86399b9af7428829-19574a7458b44d20af0c675ffa99dd24"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15909682, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770326316000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770243307078, "EndTimeEpoch": 1770326254713, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "b3cb6e7ce7764d56b9fdf05d41b543f6", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|b3cb6e7ce7764d56b9fdf05d41b543f6-69bd08267fbc4dcebe2b754982a69f42"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15909119, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770322112000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770239107100, "EndTimeEpoch": 1770322050604, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "d51bdcb7ed484a0c96632e8b3ccc467e", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|d51bdcb7ed484a0c96632e8b3ccc467e-d764b92dec8f49418b25921f6e248c9f"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15906951, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770306496000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770223506217, "EndTimeEpoch": 1770306433899, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "20e28a308a6a4f9ba9f699c778e0f451", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.0.2.15", "HostNames": "phantom-identit", "SHA256Hashes": "8c8acf4ef9fa52c334afddd5cc4bd3f463ae454e4852540d0c2370179e8aa4de", "MD5Hashes": "421787932d2f6f215cbef829f2f27573", "SensorIds": "8985ce90ae2a437d85cc7ee6c144e008", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|20e28a308a6a4f9ba9f699c778e0f451-3d928736aeaf4ff98b84657b9f0ee8e6"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15905072, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770292664000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770209704372, "EndTimeEpoch": 1770292602523, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "17c5988f42db4eecb54cba384f80fa3b", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.0.1.21", "HostNames": "ar-linux", "SHA256Hashes": "4f291296e89b784cd35479fca606f228126e3641f5bcaee68dee36583d7c9483", "MD5Hashes": "7409ae3f7b10e059ee70d9079c94b097", "SensorIds": "d9c6da290eab436486054109e2ab0f3f", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|17c5988f42db4eecb54cba384f80fa3b-7a68ad8a43fb4b98af693c7230d15aac"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15903800, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770283640000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770200706055, "EndTimeEpoch": 1770283578437, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "cb1f7490820e48ad84e1dccd5706b84b", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|cb1f7490820e48ad84e1dccd5706b84b-eac3356ff9534f68a6cb13461c37c80b"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15903682, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770282453000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770199507590, "EndTimeEpoch": 1770282391002, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "0158037962624b328992744505819e05", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|0158037962624b328992744505819e05-8187867dc2cd480f910d42054de6bdf6"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15897793, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770242875000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770159906594, "EndTimeEpoch": 1770242812954, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "742813aadc6b4bb4b9f32b7a30f44f7e", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|742813aadc6b4bb4b9f32b7a30f44f7e-2a7660b5da814058876939295091001d"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15896056, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770230308000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770147307086, "EndTimeEpoch": 1770230246813, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "e72e5a901b6b4bdda8c7b9b8761b4281", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|e72e5a901b6b4bdda8c7b9b8761b4281-f0a7a6a9872945d6be99ac2fd750ac47"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15895139, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770223651000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770140706577, "EndTimeEpoch": 1770223589470, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "44725d858ae647c4b13d80f17dd7606e", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|44725d858ae647c4b13d80f17dd7606e-e0fc0b2045f2434d85020d4934db144d"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15890663, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770191264000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770108307635, "EndTimeEpoch": 1770191202142, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "59d20cd4c18d4e709556773d747fb740", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|59d20cd4c18d4e709556773d747fb740-3c7f632af4b84a6c81bc1e2ad43a2bde"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15890555, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770190670000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770107707081, "EndTimeEpoch": 1770190607593, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "295e79ea91444c9eb0f404913623b2fc", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|295e79ea91444c9eb0f404913623b2fc-52b0bc3eb31241aba88b2d8c02afc0f0"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15890502, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770190056000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770107107611, "EndTimeEpoch": 1770189994133, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "6050654f84e5486cac6254df3f6f6654", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|6050654f84e5486cac6254df3f6f6654-302431d529a24efdae1ef58fdda6077a"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15888932, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770179257000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770096306069, "EndTimeEpoch": 1770179194527, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "0ae63a53d2fb42c195a5dbf20e7b84af", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|0ae63a53d2fb42c195a5dbf20e7b84af-953e4605f9fb439b84803f4c52850bea"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15888627, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770176866000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770093907596, "EndTimeEpoch": 1770176804633, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "6ffdbb6725bf4d1ca83618cd793ee31f", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|6ffdbb6725bf4d1ca83618cd793ee31f-9ff60e98bcbb4caa8ce9b3c09e9c2c03"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15888616, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770176860000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770093907095, "EndTimeEpoch": 1770176798107, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "6ffdbb6725bf4d1ca83618cd793ee31f", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|6ffdbb6725bf4d1ca83618cd793ee31f-2bf2951279b3409c8619560c7ef4187b"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15887894, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770172065000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770089106618, "EndTimeEpoch": 1770172002559, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "41c697f5dff746d588e6ffab6c128b73", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|41c697f5dff746d588e6ffab6c128b73-45c979f69b6f46b38813e316c0c65003"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15884724, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770151686000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770068707086, "EndTimeEpoch": 1770151623475, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "bd0c6e63bc6f4554b5c11f50cf4983a2", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|bd0c6e63bc6f4554b5c11f50cf4983a2-9c9b18200fe045d5bc45f9daf6c6c349"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15883487, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770145061000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770062106578, "EndTimeEpoch": 1770144999919, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "8b6a5e7a0ab848cd8aadac39985b8afd", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|8b6a5e7a0ab848cd8aadac39985b8afd-6e510e6f136a443ba2dfb82fedd3067b"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15879912, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770124082000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770041108146, "EndTimeEpoch": 1770124020555, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "c229fad33c504d4da03aca272ffbc396", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|c229fad33c504d4da03aca272ffbc396-aea806fe274a4f9fa6e371cace60c413"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15876793, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770101844000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770018906112, "EndTimeEpoch": 1770101784047, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "bd22cd5f63fc41b7bd18432482869b39", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|bd22cd5f63fc41b7bd18432482869b39-425a537463ae4a889f8901cacc553815"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15876706, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770101245000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770018306569, "EndTimeEpoch": 1770101182627, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "1ffdf2139e214f99a347e7fa1a1fec88", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|1ffdf2139e214f99a347e7fa1a1fec88-1dc253394dda40628f1ff5df1a91623f"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15876138, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770097086000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1770014107586, "EndTimeEpoch": 1770097023877, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "fb03785299fc4e9b96b0f7df22cf3556", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|fb03785299fc4e9b96b0f7df22cf3556-644ddefa8ff543a0807160b094e4f90c"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15872539, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770071260000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769988307604, "EndTimeEpoch": 1770071198778, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "47ee635f64214467bddf00fa5da94838", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|47ee635f64214467bddf00fa5da94838-f7b37e6997654bc9a5ed479a07e93c1d"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15870826, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1770059853000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769976906597, "EndTimeEpoch": 1770059790682, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "5252ba67e2ac46a48f754743f95d6647", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|5252ba67e2ac46a48f754743f95d6647-3cfac9315eca474cb494fc4da6e16fba"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15861074, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769992671000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769909706056, "EndTimeEpoch": 1769992609091, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "bdaad98469bc4358a4c2d27ae3309d11", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "ee8364c07b3f4f71fa649e0e6c4c73c15d285130e4b16e79890eebbf89c2164e", "MD5Hashes": "da63852a2b0340e94d74eaf0cd444979", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|bdaad98469bc4358a4c2d27ae3309d11-871d658c56f54affb262d686c8a00091"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15860437, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769988457000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769905506749, "EndTimeEpoch": 1769988395498, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "d94bcd5eba82488e8970c5fd5cf0da6f", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|d94bcd5eba82488e8970c5fd5cf0da6f-e4e0194c0fff406488cb4a798a6f9fd9"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15857509, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769967457000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769884506118, "EndTimeEpoch": 1769967396385, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "9af719056d1645a2994fa4196290c3d6", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|9af719056d1645a2994fa4196290c3d6-dfbdec60de8b4cdfaf1d649f26caa043"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15857026, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769963851000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769880907194, "EndTimeEpoch": 1769963789762, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "8002950f72844babb5a0127854d167ee", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|8002950f72844babb5a0127854d167ee-ca47324bc78c43298ea959c17d2580e8"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15852649, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769932648000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769849705568, "EndTimeEpoch": 1769932585769, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "8d3fd63c6caf4bf4b47484bac2d9d0ce", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "ee8364c07b3f4f71fa649e0e6c4c73c15d285130e4b16e79890eebbf89c2164e", "MD5Hashes": "da63852a2b0340e94d74eaf0cd444979", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|8d3fd63c6caf4bf4b47484bac2d9d0ce-6e9cd80a6af444a6a1d389429f89f5fb"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15851508, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769924248000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769841307716, "EndTimeEpoch": 1769924186655, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "81ccb9c75f5249bfb7164c3a73b68569", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|81ccb9c75f5249bfb7164c3a73b68569-e981b66bbb9349f698ba09bc3e1e2619"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15851269, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769922466000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769839507194, "EndTimeEpoch": 1769922404641, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "376945ca48da479aa0fa9057d9a1a8dc", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|376945ca48da479aa0fa9057d9a1a8dc-1ea2642b4aa44700a61dcec552a54a3b"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15850734, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769918848000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769835900780, "EndTimeEpoch": 1769918785743, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "7f0cf5610e6742a4ba1c3b184fbce12b", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.0.1.14", "HostNames": "WIN-DC", "SHA256Hashes": "2f1393cd86d5c77fad0a47520ae02c2ae8598bd604ff4175b89f13062f432612", "MD5Hashes": "da34dbdcd5090405fccafc9452f010b4", "SensorIds": "32f2ea74cc134492a46168403db2f25c", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|7f0cf5610e6742a4ba1c3b184fbce12b-327cd0ddc03a4e86ac736c5af362a47a"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15848635, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769906267000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769823306629, "EndTimeEpoch": 1769906205492, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "fbf358856b9946f08f8f7326cdc898d6", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|fbf358856b9946f08f8f7326cdc898d6-aa6610acf2134d639d04eefba6c0c295"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15848565, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769905652000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769822707147, "EndTimeEpoch": 1769905590486, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "56192116890044e18c20e6263f937602", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|56192116890044e18c20e6263f937602-2c08f580ddef437fb4739244b3881641"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15846991, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769894245000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769811306628, "EndTimeEpoch": 1769894184188, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "20d68d1ee1b44e399ef9f0e3a138b6dc", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|20d68d1ee1b44e399ef9f0e3a138b6dc-f5c435d686b84b81811e6a84377ca9c4"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15846184, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769888250000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769805307632, "EndTimeEpoch": 1769888189278, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "99c69e0c3c814f80ae8d20665acc0b66", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|99c69e0c3c814f80ae8d20665acc0b66-90ebd2add9b14d5a93b3a54e3cb059f6"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15846180, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769888249000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769805307630, "EndTimeEpoch": 1769888186773, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "99c69e0c3c814f80ae8d20665acc0b66", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|99c69e0c3c814f80ae8d20665acc0b66-961c38d995b14b84bbcbe5cabefdd7a8"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15845105, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769879845000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769796906658, "EndTimeEpoch": 1769879782851, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "126bc412917645dfaffc7a13b61bbbed", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|126bc412917645dfaffc7a13b61bbbed-d331a13665d7411aa4e889eb6e924391"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15844790, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769877437000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769794506607, "EndTimeEpoch": 1769877375701, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "2139229908354fb7aa7e93daaa531752", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|2139229908354fb7aa7e93daaa531752-0adbe5e3e37c47aabb5c986cce9587f1"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15844741, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769876875000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769793907140, "EndTimeEpoch": 1769876813841, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "79d1890c5b0a4e1fa4c988f7847eb8f8", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|79d1890c5b0a4e1fa4c988f7847eb8f8-7d3bba4afc224c02be72c9cdfc31f63f"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15844409, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769874443000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769791506110, "EndTimeEpoch": 1769874382013, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "68d46485d0964031bea83b9c54f47208", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|68d46485d0964031bea83b9c54f47208-1d242c94a3b54e32b2c2f690e0b0728f"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15838112, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769826463000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769743507706, "EndTimeEpoch": 1769826400997, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "ac581b8c4d4e4ccbaa2015fec9c146ce", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.0.1.15", "HostNames": "WIN-SVR1", "SHA256Hashes": "79dc5ee9373d2993fe0d96599159d17c5252dc236e9a3ce268612e9910ea1639", "MD5Hashes": "f8aba895fa66eda5fc73c335b39b3866", "SensorIds": "83a7b4f9baa44955b5de39d61802c9dc", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|ac581b8c4d4e4ccbaa2015fec9c146ce-35af31cfbf78478ba979802f17295b26"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15837765, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769824665000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769741704453, "EndTimeEpoch": 1769824603371, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "03042fb246ce4c02ad9bd878b04ae508", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.0.1.15", "HostNames": "WIN-SVR1", "SHA256Hashes": "79dc5ee9373d2993fe0d96599159d17c5252dc236e9a3ce268612e9910ea1639", "MD5Hashes": "f8aba895fa66eda5fc73c335b39b3866", "SensorIds": "83a7b4f9baa44955b5de39d61802c9dc", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|03042fb246ce4c02ad9bd878b04ae508-9cdad6f406cf4891b24375e999ad492e"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15835695, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769811510000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769728506704, "EndTimeEpoch": 1769811448755, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "4ea1c376b8574250adca9e22dc600573", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|4ea1c376b8574250adca9e22dc600573-2b500c2cbcdd4fbfb86d50cd000c71b7"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15835689, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769811507000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769728506659, "EndTimeEpoch": 1769811445750, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "4ea1c376b8574250adca9e22dc600573", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", "MD5Hashes": "f4f684066175b77e0c3a000549d2922c", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|4ea1c376b8574250adca9e22dc600573-6c93dac7820b4ee5881f9af2016da2fa"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15833884, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769798877000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769715900553, "EndTimeEpoch": 1769798815077, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "15222fab325c4b559da901a7fe9337fc", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.0.1.21", "HostNames": "ar-linux", "SHA256Hashes": "4f291296e89b784cd35479fca606f228126e3641f5bcaee68dee36583d7c9483", "MD5Hashes": "7409ae3f7b10e059ee70d9079c94b097", "SensorIds": "d9c6da290eab436486054109e2ab0f3f", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|15222fab325c4b559da901a7fe9337fc-9eb92032bcf045be9868c0cab3b0c2d1"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15833153, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769793478000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769710506626, "EndTimeEpoch": 1769793416227, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "4c4749fe64cf47e3aef491203883c2d3", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|4c4749fe64cf47e3aef491203883c2d3-33d14ad0ab424cbe99768806f083c17e"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "3061c7ff3b634e22b38274d4b586558e", "offset": 15832103, "eventType": "XdrDetectionSummaryEvent", "eventCreationTime": 1769785678000, "version": "1.0"}, "event": {"Name": "Incident rule", "Description": "Making incidents", "PatternId": 100010, "StartTimeEpoch": 1769702707146, "EndTimeEpoch": 1769785616007, "Severity": 30, "SourceProducts": "Falcon", "SourceVendors": "CrowdStrike", "DataDomains": "Endpoint", "Author": "CorrelationRule", "XdrType": "xdr-scheduled-search", "ScheduledSearchId": "bb1f2a9e0fd34c2794f4e84ae6bf904f", "ScheduledSearchExecutionId": "2463f62488fe4d3a953507f83514eaca", "ScheduledSearchUserUUID": "c59a4ab7-e679-4c9c-ab20-05730ba369e0", "ScheduledSearchUserId": "phantomlab@splunk.com", "IPv4Addresses": "10.1.17.4", "HostNames": "CROWDFAL2", "SHA256Hashes": "df8085fb7d979c644a751804ed6bd3b74b26ce682291b5e5ede4c76eca599e7e", "MD5Hashes": "ed5fc58ec99a058ce9b7bb1ee3a96a8e", "SensorIds": "9a58cd4397bb4a2abadf0189e36ab0e7", "CompositeId": "3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:xdr|2463f62488fe4d3a953507f83514eaca-ffb6e76c9f2e42b4a8c1b997091b90e0"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.6.5", "Input": "crwd_events", "App_id": "s2_pl", "Event_types": "['All']", "Initial_start": "historic"}}