{"metadata": {"customerIDString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "offset": 79921069, "eventType": "IdentityProtectionEvent", "eventCreationTime": 1721116052203, "version": "1.0"}, "event": {"IncidentType": "Password brute force attack (Active Directory)", "IncidentDescription": "Password brute force attack (Active Directory)", "Severity": 4, "SeverityName": "LOW", "StartTime": 1721097299000, "EndTime": 1721115768000, "IdentityProtectionIncidentId": "4577b161-DDDD-cccc-bbbbb-aaaaaaaaaaaa", "UserName": "CORP.TESTLABLABS.COM\\adm-sasuke", "EndpointName": "endpnt.corp.testlablabs.com", "EndpointIp": "", "Category": "Detections", "NumbersOfAlerts": 1, "NumberOfCompromisedEntities": 2, "State": "NEW", "FalconHostLink": "https://falcon.crowdstrike.com/identity-protection/detections/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:ind:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:4577B161-DDDD-CCCC-BBBBB-AAAAAAAAAAAA"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.2.1", "Input": "TestlabCrwd", "App_id": "TestlabSplunkPoV", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "offset": 79888017, "eventType": "IdentityProtectionEvent", "eventCreationTime": 1721110710291, "version": "1.0"}, "event": {"IncidentType": "POTENTIAL_RISKY_ACTIVITY", "IncidentDescription": "User access patterns detected as anomalous. Such activities may indicate potential threats such as endpoint infection, compromised account or other risks. Falcon monitors the activity and will escalate severity or incident type when necessary.", "Severity": 3, "SeverityName": "LOW", "StartTime": 1720770944000, "EndTime": 1721110710286, "IdentityProtectionIncidentId": "INC-2308", "UserName": "CORP.TESTLABLABS.COM\\x-naruto", "EndpointName": "endpnt.corp.testlablabs.com", "EndpointIp": "", "Category": "Incidents", "NumbersOfAlerts": 53, "NumberOfCompromisedEntities": 1, "State": "NEW", "FalconHostLink": "https://falcon.crowdstrike.com/identity-protection/incidents/INC-2308"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.2.1", "Input": "TestlabCrwd", "App_id": "TestlabSplunkPoV", "Event_types": "['All']", "Initial_start": "historic"}}
{"metadata": {"customerIDString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "offset": 79888016, "eventType": "IdentityProtectionEvent", "eventCreationTime": 1721110710258, "version": "1.0"}, "event": {"IncidentType": "Access from IP with bad reputation", "IncidentDescription": "Access from IP with bad reputation", "Severity": 3, "SeverityName": "LOW", "StartTime": 1721110250000, "EndTime": 1721110250000, "IdentityProtectionIncidentId": "4577b161-DDDD-CCCC-bbbbb-aaaaaaaaaaaa", "UserName": "CORP.TESTLABLABS.COM\\x-naruto", "EndpointName": "endpnt.corp.testlablabs.com", "EndpointIp": "", "Category": "Detections", "NumbersOfAlerts": 1, "NumberOfCompromisedEntities": 1, "State": "NEW", "FalconHostLink": "https://falcon.crowdstrike.com/identity-protection/detections/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:ind:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:4577B161-DDDD-CCCC-BBBBB-AAAAAAAAAAAA"}, "ta_data": {"Feed_id": "0", "Multiple_feeds": "False", "Cloud_environment": "us_commercial", "TA_version": "3.2.1", "Input": "TestlabCrwd", "App_id": "TestlabSplunkPoV", "Event_types": "['All']", "Initial_start": "historic"}}