From 2d37eed1833b0a6d0b4e39041fe263a4129ea810 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Mora=20L=C3=B3pez?= <41559395+leonardomoralopez89@users.noreply.github.com> Date: Wed, 27 Dec 2023 19:10:45 +0200 Subject: [PATCH 01/20] Changing the base image to eclipse-temurin:11 (#177) --- backend/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index 217997d8e..3947d9d0b 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -1,4 +1,4 @@ -FROM openjdk:17-alpine +FROM eclipse-temurin:11 ADD target/utmstack.war ./ From b3956bac33822ee8052b14f1a590b7e1ae49c58b Mon Sep 17 00:00:00 2001 From: "Freddy R. Laffita Almaguer" Date: Wed, 27 Dec 2023 12:58:51 -0500 Subject: [PATCH 02/20] Moving images to eclipse-temurin, openjdk will be deprecated soon (#178) --- user-auditor/Dockerfile | 2 +- web-pdf/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/user-auditor/Dockerfile b/user-auditor/Dockerfile index 8bef02cdc..6e4d70319 100644 --- a/user-auditor/Dockerfile +++ b/user-auditor/Dockerfile @@ -1,4 +1,4 @@ -FROM openjdk:17-alpine +FROM eclipse-temurin:17-alpine ADD target/user-auditor-1.0.0.jar ./ EXPOSE 8080 diff --git a/web-pdf/Dockerfile b/web-pdf/Dockerfile index 45e2f54bc..9a0ff9d7b 100644 --- a/web-pdf/Dockerfile +++ b/web-pdf/Dockerfile @@ -1,4 +1,4 @@ -FROM openjdk:17-alpine +FROM eclipse-temurin:17-alpine ADD target/web-pdf-1.0.0.jar ./ EXPOSE 8080 From aed0a43e47389b30362b6da31930601218a7753f Mon Sep 17 00:00:00 2001 From: jdieguez89 Date: Thu, 28 Dec 2023 11:25:29 +0200 Subject: [PATCH 03/20] force v10/release from old proyect --- .../src/app/active-directory/offline.data.ts | 2 - frontend/src/app/app.component.html | 12 - frontend/src/app/app.component.ts | 8 +- frontend/src/app/app.constants.ts | 1 - .../enums/asset-map-filter-field.enum.ts | 2 +- .../blocks/interceptor/auth.interceptor.ts | 17 +- .../compliance-result-view.component.html | 3 +- .../compliance-result-view.component.ts | 52 +--- .../compliance/compliance-routing.module.ts | 6 - .../compliance-schedule.component.html | 107 --------- .../compliance-schedule.component.scss | 0 .../compliance-schedule.component.ts | 167 ------------- .../src/app/compliance/compliance.module.ts | 46 ++-- .../shared/compliance-shared.module.ts | 23 +- .../utm-compliance-create.component.scss | 5 +- ...-compliance-schedule-create.component.html | 71 ------ ...-compliance-schedule-create.component.scss | 55 ----- ...tm-compliance-schedule-create.component.ts | 222 ------------------ ...-compliance-schedule-delete.component.html | 17 -- ...-compliance-schedule-delete.component.scss | 0 ...tm-compliance-schedule-delete.component.ts | 38 --- .../utm-compliance-select.component.html | 96 -------- .../utm-compliance-select.component.scss | 0 .../utm-compliance-select.component.ts | 137 ----------- .../models/time-frequency.ts | 31 --- .../utm-cp-cron-editor.component.html | 67 ------ .../utm-cp-cron-editor.component.scss | 46 ---- .../utm-cp-cron-editor.component.ts | 159 ------------- .../services/compliance-schedule.service.ts | 44 ---- .../cron-description-generator.service.ts | 139 ----------- .../type/compliance-schedule-filter.type.ts | 6 - .../shared/type/compliance-schedule.type.ts | 13 - .../src/app/core/auth/auth-jwt.service.ts | 17 +- frontend/src/app/core/login/login.service.ts | 4 - .../compliance-export.component.ts | 88 +------ .../dashboard-export-pdf.component.ts | 2 +- .../dashboard-overview.component.ts | 18 +- .../dashboard-render.component.ts | 17 +- .../active-filters.component.html | 4 +- .../active-filters.component.ts | 1 - .../components/auth/login/login.component.ts | 10 +- .../utm-version-info.component.html | 2 +- .../utm-notification-alert.component.ts | 1 + .../dashboard-filter-select.component.html | 1 - .../dashboard-filter-select.component.ts | 26 +- .../services/change-filter-value.service.ts | 15 -- .../services/util/export-pdf.service.ts | 30 --- .../types/filter/elastic-filter.type.ts | 3 - .../util/query-params-to-filter.util.ts | 63 ----- 49 files changed, 54 insertions(+), 1840 deletions(-) delete mode 100644 frontend/src/app/active-directory/offline.data.ts delete mode 100644 frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.html delete mode 100644 frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.scss delete mode 100644 frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.ts delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.html delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.scss delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.ts delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.html delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.scss delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.ts delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.html delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.scss delete mode 100644 frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.ts delete mode 100644 frontend/src/app/compliance/shared/components/utm-cp-cron-editor/models/time-frequency.ts delete mode 100644 frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.html delete mode 100644 frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.scss delete mode 100644 frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.ts delete mode 100644 frontend/src/app/compliance/shared/services/compliance-schedule.service.ts delete mode 100644 frontend/src/app/compliance/shared/services/cron-description-generator.service.ts delete mode 100644 frontend/src/app/compliance/shared/type/compliance-schedule-filter.type.ts delete mode 100644 frontend/src/app/compliance/shared/type/compliance-schedule.type.ts delete mode 100644 frontend/src/app/shared/components/utm/filters/services/change-filter-value.service.ts delete mode 100644 frontend/src/app/shared/services/util/export-pdf.service.ts diff --git a/frontend/src/app/active-directory/offline.data.ts b/frontend/src/app/active-directory/offline.data.ts deleted file mode 100644 index 2f07ee6dd..000000000 --- a/frontend/src/app/active-directory/offline.data.ts +++ /dev/null @@ -1,2 +0,0 @@ -// tslint:disable-next-line:max-line-length -export const data = [{computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:55:44.429Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431857', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52564', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x197d2db', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x197D2DB\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52564\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '16aa35e5-9e5b-4075-8542-9b5cc4255a58', dataSource: 'KOK62KHGPA6', es_metadata_id: '16aa35e5-9e5b-4075-8542-9b5cc4255a58'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:55:22.095Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431854', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52560', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x197befa', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x197BEFA\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52560\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'd03f954c-828b-4c3d-86ac-7d524a736017', dataSource: 'KOK62KHGPA6', es_metadata_id: 'd03f954c-828b-4c3d-86ac-7d524a736017'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:54:43.414Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431851', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52556', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1979f30', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1979F30\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52556\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '63bcd54a-13af-4faa-a623-37449d8694de', dataSource: 'KOK62KHGPA6', es_metadata_id: '63bcd54a-13af-4faa-a623-37449d8694de'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:54:42.975Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431848', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52555', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1979ea6', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1979EA6\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52555\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '9537f6b0-683e-4196-a708-66a7b6cb9425', dataSource: 'KOK62KHGPA6', es_metadata_id: '9537f6b0-683e-4196-a708-66a7b6cb9425'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:54:42.960Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431845', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52554', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1979e40', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1979E40\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52554\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '4ac248c3-a2f2-4afd-8266-671b5467e452', dataSource: 'KOK62KHGPA6', es_metadata_id: '4ac248c3-a2f2-4afd-8266-671b5467e452'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:54:22.089Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431842', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52551', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19789c0', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19789C0\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52551\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'd01486eb-d8a6-4465-9744-7ce6da156d4a', dataSource: 'KOK62KHGPA6', es_metadata_id: 'd01486eb-d8a6-4465-9744-7ce6da156d4a'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:53:42.411Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431838', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52547', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19768df', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19768DF\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52547\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '380904f7-d7c1-4195-9757-6709430568d1', dataSource: 'KOK62KHGPA6', es_metadata_id: '380904f7-d7c1-4195-9757-6709430568d1'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:53:22.072Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431835', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52544', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19756b4', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19756B4\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52544\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '73be6bea-75bc-4212-ae84-586a5025b8bb', dataSource: 'KOK62KHGPA6', es_metadata_id: '73be6bea-75bc-4212-ae84-586a5025b8bb'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:41.410Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431832', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52540', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19734d8', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19734D8\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52540\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'e9669886-31cd-4a84-b7c5-9528fbc75e62', dataSource: 'KOK62KHGPA6', es_metadata_id: 'e9669886-31cd-4a84-b7c5-9528fbc75e62'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:22.063Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431829', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52538', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19724b3', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19724B3\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52538\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '18645564-f08e-4e40-b578-03aae14dabcb', dataSource: 'KOK62KHGPA6', es_metadata_id: '18645564-f08e-4e40-b578-03aae14dabcb'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:19.521Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431824', event_data: {ProcessName: 'C:\\Windows\\System32\\services.exe', LogonGuid: '{00000000-0000-0000-0000-000000000000}', LogonType: '5', IpPort: '-', SubjectLogonId: '0x3e7', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x3e7', SubjectUserName: 'KOK62KHGPA6$', IpAddress: '-', SubjectDomainName: 'UTMSTACK', ImpersonationLevel: '%%1833', ProcessId: '0x25c', TargetUserName: 'SYSTEM', LogonProcessName: 'Advapi ', TargetDomainName: 'NT AUTHORITY', SubjectUserSid: 'S-1-5-18', AuthenticationPackageName: 'Negotiate', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x25c\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 3664.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'c8014a27-5130-4067-abc3-13f31b4d44dc', dataSource: 'KOK62KHGPA6', es_metadata_id: 'c8014a27-5130-4067-abc3-13f31b4d44dc'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:19.365Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431817', event_data: {ProcessName: 'C:\\Windows\\System32\\services.exe', LogonGuid: '{00000000-0000-0000-0000-000000000000}', LogonType: '5', IpPort: '-', SubjectLogonId: '0x3e7', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x3e7', SubjectUserName: 'KOK62KHGPA6$', IpAddress: '-', SubjectDomainName: 'UTMSTACK', ImpersonationLevel: '%%1833', ProcessId: '0x25c', TargetUserName: 'SYSTEM', LogonProcessName: 'Advapi ', TargetDomainName: 'NT AUTHORITY', SubjectUserSid: 'S-1-5-18', AuthenticationPackageName: 'Negotiate', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x25c\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 3664.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'cde7d68a-fff4-4501-a202-e7bcdb893ef4', dataSource: 'KOK62KHGPA6', es_metadata_id: 'cde7d68a-fff4-4501-a202-e7bcdb893ef4'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:02.716Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431801', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '52534', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196dd2a', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196DD2A\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52534\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 4240.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '390fc93c-d652-464b-b5a6-8af375982ee3', dataSource: 'KOK62KHGPA6', es_metadata_id: '390fc93c-d652-464b-b5a6-8af375982ee3'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:02.605Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431797', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '52533', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196db29', SubjectUserName: '-', IpAddress: '10.28.140.11', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196DB29\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t10.28.140.11\n\tSource Port:\t\t52533\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'da2119da-83e1-45d1-af09-c0d0d727dada', dataSource: 'KOK62KHGPA6', es_metadata_id: 'da2119da-83e1-45d1-af09-c0d0d727dada'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:02.590Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431793', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '52532', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196d9ff', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196D9FF\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52532\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'b0bd49c5-80a6-4651-83a9-84d4f5c4c572', dataSource: 'KOK62KHGPA6', es_metadata_id: 'b0bd49c5-80a6-4651-83a9-84d4f5c4c572'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:02.590Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431795', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '0', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196dae7', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196DAE7\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 4240.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '77c83499-840a-4c56-885f-e11736a40179', dataSource: 'KOK62KHGPA6', es_metadata_id: '77c83499-840a-4c56-885f-e11736a40179'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:51:40.407Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431790', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52530', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196c6f9', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196C6F9\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52530\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '249781f9-422e-43a8-b8ed-aadfced78f27', dataSource: 'KOK62KHGPA6', es_metadata_id: '249781f9-422e-43a8-b8ed-aadfced78f27'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:51:22.050Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431787', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52527', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196b704', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196B704\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52527\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '03124a93-296c-4fbe-9008-e9d63b21ed0b', dataSource: 'KOK62KHGPA6', es_metadata_id: '03124a93-296c-4fbe-9008-e9d63b21ed0b'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:50:39.392Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431783', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52523', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19693d5', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19693D5\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52523\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '0111be00-70ef-4efd-af0c-a9c763013915', dataSource: 'KOK62KHGPA6', es_metadata_id: '0111be00-70ef-4efd-af0c-a9c763013915'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:50:22.038Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431780', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52521', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19684d2', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19684D2\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52521\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '20db59b9-6c0b-4bb6-9acf-5729b1744a7e', dataSource: 'KOK62KHGPA6', es_metadata_id: '20db59b9-6c0b-4bb6-9acf-5729b1744a7e'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:50:18.227Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431773', event_data: {ProcessName: 'C:\\Windows\\System32\\services.exe', LogonGuid: '{00000000-0000-0000-0000-000000000000}', LogonType: '5', IpPort: '-', SubjectLogonId: '0x3e7', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x3e7', SubjectUserName: 'KOK62KHGPA6$', IpAddress: '-', SubjectDomainName: 'UTMSTACK', ImpersonationLevel: '%%1833', ProcessId: '0x25c', TargetUserName: 'SYSTEM', LogonProcessName: 'Advapi ', TargetDomainName: 'NT AUTHORITY', SubjectUserSid: 'S-1-5-18', AuthenticationPackageName: 'Negotiate', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x25c\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 3152.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'a701a141-e752-4224-98cb-721b6272bc15', dataSource: 'KOK62KHGPA6', es_metadata_id: 'a701a141-e752-4224-98cb-721b6272bc15'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:49:42.662Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431771', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52517', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1963af8', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1963AF8\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52517\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '31391e9c-b734-40d4-982e-1cc84bcbedc6', dataSource: 'KOK62KHGPA6', es_metadata_id: '31391e9c-b734-40d4-982e-1cc84bcbedc6'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:49:42.646Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431768', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52516', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1963a96', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1963A96\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52516\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'bbc7db53-880a-4005-ba13-4fc458552006', dataSource: 'KOK62KHGPA6', es_metadata_id: 'bbc7db53-880a-4005-ba13-4fc458552006'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:49:38.380Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431765', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52514', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196351a', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196351A\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52514\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '03711076-3f77-47c3-830c-d3d34fae5805', dataSource: 'KOK62KHGPA6', es_metadata_id: '03711076-3f77-47c3-830c-d3d34fae5805'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:49:23.055Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431762', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '52511', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19626cc', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19626CC\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52511\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 3664.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'a282dfa2-d472-4b32-86a3-88a2f3d0a6a5', dataSource: 'KOK62KHGPA6', es_metadata_id: 'a282dfa2-d472-4b32-86a3-88a2f3d0a6a5'}, {'@timestamp': '2021-11-07T19:18:32.323Z', logx: {type: 'wineventlog', wineventlog: {process_id: 560.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '54', event_data: {TargetSid: 'S-1-5-21-3647638308-2371132834-3234585743-504', SidHistory: '-', LogonHours: '%%1797', ScriptPath: '%%1793', DisplayName: '%%1793', HomePath: '%%1793', AllowedToDelegateTo: '-', TargetDomainName: 'MINWINPC', PrivilegeList: '-', UserWorkstations: '%%1793', SamAccountName: 'WDAGUtilityAccount', HomeDirectory: '%%1793', OldUacValue: '0x0', UserParameters: '%%1793', NewUacValue: '0x15', SubjectLogonId: '0x3e7', PrimaryGroupId: '513', AccountExpires: '%%1794', ProfilePath: '%%1793', SubjectUserName: 'MINWINPC$', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', PasswordLastSet: '%%1794', UserPrincipalName: '-', TargetUserName: 'WDAGUtilityAccount', SubjectUserSid: 'S-1-5-18'}, message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tMINWINPC$\n\tAccount Domain:\t\t\n\tLogon ID:\t\t0x3E7\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-3647638308-2371132834-3234585743-504\n\tAccount Name:\t\tWDAGUtilityAccount\n\tAccount Domain:\t\tMINWINPC\n\nAttributes:\n\tSAM Account Name:\tWDAGUtilityAccount\n\tDisplay Name:\t\t\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\n\tHome Drive:\t\t\n\tScript Path:\t\t\n\tProfile Path:\t\t\n\tUser Workstations:\t\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', tags: ['beats_input_codec_plain_applied'], thread_id: 564.0, event_id: 4720.0, task: 'User Account Management', provider_guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', activity_id: '{440d5227-c130-0000-d654-0d4430c1d701}', beat: {hostname: 'WIN-A25THL0M2FV', name: 'WIN-A25THL0M2FV', version: '6.7.0'}, host: {os: {build: '17763.737', name: 'Windows Server 2019 Datacenter Evaluation', family: 'windows', version: '10.0', platform: 'windows'}, name: 'WIN-A25THL0M2FV', id: '049e6ce3-701d-4b71-8800-20f898d12be9', architecture: 'x86_64'}, event_name: 'A user account was created', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '32eac8da-ced6-403b-9f9a-3166bb314a45', dataSource: 'WIN-A25THL0M2FV', es_metadata_id: '32eac8da-ced6-403b-9f9a-3166bb314a45'}, {'@timestamp': '2021-11-07T17:33:44.230Z', logx: {type: 'wineventlog', wineventlog: {process_id: 536.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1276', event_data: {TargetSid: 'S-1-5-21-304306559-1031592495-3937790709-504', SidHistory: '-', LogonHours: '%%1797', ScriptPath: '%%1793', DisplayName: '%%1793', HomePath: '%%1793', SubjectDomainName: 'NT AUTHORITY', AllowedToDelegateTo: '-', TargetDomainName: 'WIN-A25THL0M2FV', PrivilegeList: '-', UserWorkstations: '%%1793', SamAccountName: 'WDAGUtilityAccount', HomeDirectory: '%%1793', OldUacValue: '0x0', UserParameters: '%%1793', NewUacValue: '0x15', SubjectLogonId: '0x3e6', PrimaryGroupId: '513', AccountExpires: '%%1794', ProfilePath: '%%1793', SubjectUserName: 'ANONYMOUS LOGON', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', PasswordLastSet: '%%1794', UserPrincipalName: '-', TargetUserName: 'WDAGUtilityAccount', SubjectUserSid: 'S-1-5-7'}, message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E6\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-304306559-1031592495-3937790709-504\n\tAccount Name:\t\tWDAGUtilityAccount\n\tAccount Domain:\t\tWIN-A25THL0M2FV\n\nAttributes:\n\tSAM Account Name:\tWDAGUtilityAccount\n\tDisplay Name:\t\t\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\n\tHome Drive:\t\t\n\tScript Path:\t\t\n\tProfile Path:\t\t\n\tUser Workstations:\t\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', tags: ['beats_input_codec_plain_applied'], thread_id: 540.0, event_id: 4720.0, task: 'User Account Management', provider_guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', beat: {hostname: 'WIN-A25THL0M2FV', name: 'WIN-A25THL0M2FV', version: '6.7.0'}, host: {os: {build: '17763.737', name: 'Windows Server 2019 Datacenter Evaluation', family: 'windows', version: '10.0', platform: 'windows'}, name: 'WIN-A25THL0M2FV', id: '049e6ce3-701d-4b71-8800-20f898d12be9', architecture: 'x86_64'}, event_name: 'A user account was created', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '1bcde695-3d2a-44a1-bbc9-6c637d01646f', dataSource: 'WIN-A25THL0M2FV.utmstack.local', es_metadata_id: '1bcde695-3d2a-44a1-bbc9-6c637d01646f'}, {'@timestamp': '2021-11-07T17:33:44.096Z', logx: {type: 'wineventlog', wineventlog: {process_id: 536.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1219', event_data: {TargetSid: 'S-1-5-21-3647638308-2371132834-3234585743-502', SidHistory: '-', LogonHours: '%%1793', ScriptPath: '%%1793', DisplayName: '%%1793', HomePath: '%%1793', SubjectDomainName: 'NT AUTHORITY', AllowedToDelegateTo: '-', TargetDomainName: 'UTMSTACK', PrivilegeList: '-', UserWorkstations: '%%1793', SamAccountName: 'krbtgt', HomeDirectory: '%%1793', OldUacValue: '0x0', UserParameters: '%%1792', NewUacValue: '0x15', SubjectLogonId: '0x3e6', PrimaryGroupId: '513', AccountExpires: '%%1794', ProfilePath: '%%1793', SubjectUserName: 'ANONYMOUS LOGON', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', PasswordLastSet: '%%1794', UserPrincipalName: '-', TargetUserName: 'krbtgt', SubjectUserSid: 'S-1-5-7'}, message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E6\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-3647638308-2371132834-3234585743-502\n\tAccount Name:\t\tkrbtgt\n\tAccount Domain:\t\tUTMSTACK\n\nAttributes:\n\tSAM Account Name:\tkrbtgt\n\tDisplay Name:\t\t\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\n\tHome Drive:\t\t\n\tScript Path:\t\t\n\tProfile Path:\t\t\n\tUser Workstations:\t\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t\n\tSID History:\t\t-\n\tLogon Hours:\t\t\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', tags: ['beats_input_codec_plain_applied'], thread_id: 540.0, event_id: 4720.0, task: 'User Account Management', provider_guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', beat: {hostname: 'WIN-A25THL0M2FV', name: 'WIN-A25THL0M2FV', version: '6.7.0'}, host: {os: {build: '17763.737', name: 'Windows Server 2019 Datacenter Evaluation', family: 'windows', version: '10.0', platform: 'windows'}, name: 'WIN-A25THL0M2FV', id: '049e6ce3-701d-4b71-8800-20f898d12be9', architecture: 'x86_64'}, event_name: 'A user account was created', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '79a19537-b0e7-438c-8925-147f7b3b2c00', dataSource: 'WIN-A25THL0M2FV.utmstack.local', es_metadata_id: '79a19537-b0e7-438c-8925-147f7b3b2c00'}, {'@timestamp': '2021-10-14T22:27:25.943Z', '@version': '1', computer_name: 'KOK62KHGPA6.utmstack.demo', dataSource: 'KOK62KHGPA6', dataType: 'wineventlog', global: {type: 'logx'}, id: 'adf84ed0-6957-4031-ad2f-6c1b43f42c5c', logx: {type: 'wineventlog', wineventlog: {beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, event_data: {AccountExpires: '%%1794', AllowedToDelegateTo: '-', DisplayName: 'Gouresh K', HomeDirectory: '-', HomePath: '-', LogonHours: '%%1793', NewUacValue: '0x15', OldUacValue: '0x0', PasswordLastSet: '%%1794', PrimaryGroupId: '513', PrivilegeList: '-', ProfilePath: '-', SamAccountName: 'gouresh', ScriptPath: '-', SidHistory: '-', SubjectDomainName: 'UTMSTACK', SubjectLogonId: '0x85abbf7', SubjectUserName: 'Administrator', SubjectUserSid: 'S-1-5-21-2132650514-2599053231-678728588-500', TargetDomainName: 'UTMSTACK', TargetSid: 'S-1-5-21-2132650514-2599053231-678728588-3730', TargetUserName: 'gouresh', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', UserParameters: '-', UserPrincipalName: 'gouresh@utmstack.demo', UserWorkstations: '-'}, event_id: 4720.0, event_name: 'A user account was created', host: {architecture: 'x86_64', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', name: 'KOK62KHGPA6', os: {build: '9600.0', family: 'windows', name: 'Windows Server 2012 R2 Datacenter Evaluation', platform: 'windows', version: '6.3'}}, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x85ABBF7\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-3730\n\tAccount Name:\t\tgouresh\n\tAccount Domain:\t\tUTMSTACK\n\nAttributes:\n\tSAM Account Name:\tgouresh\n\tDisplay Name:\t\tGouresh K\n\tUser Principal Name:\tgouresh@utmstack.demo\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', process_id: 604.0, provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', record_number: '1408110', source_name: 'Microsoft-Windows-Security-Auditing', tags: ['beats_input_codec_plain_applied'], task: 'User Account Management', thread_id: 2184.0}}, es_metadata_id: 'adf84ed0-6957-4031-ad2f-6c1b43f42c5c'}, {'@timestamp': '2021-10-14T18:54:05.449Z', '@version': '1', computer_name: 'KOK62KHGPA6.utmstack.demo', dataSource: 'KOK62KHGPA6', dataType: 'wineventlog', global: {type: 'logx'}, id: '6e94be72-d134-41f4-9354-560c8825fcca', logx: {type: 'wineventlog', wineventlog: {beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, event_data: {AccountExpires: '%%1794', AllowedToDelegateTo: '-', DisplayName: 'Harry Potter', HomeDirectory: '-', HomePath: '-', LogonHours: '%%1793', NewUacValue: '0x15', OldUacValue: '0x0', PasswordLastSet: '%%1794', PrimaryGroupId: '513', PrivilegeList: '-', ProfilePath: '-', SamAccountName: 'Harry', ScriptPath: '-', SidHistory: '-', SubjectDomainName: 'UTMSTACK', SubjectLogonId: '0x85abbf7', SubjectUserName: 'Administrator', SubjectUserSid: 'S-1-5-21-2132650514-2599053231-678728588-500', TargetDomainName: 'UTMSTACK', TargetSid: 'S-1-5-21-2132650514-2599053231-678728588-3731', TargetUserName: 'Harry', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', UserParameters: '-', UserPrincipalName: 'Harry@utmstack.demo', UserWorkstations: '-'}, event_id: 4720.0, event_name: 'A user account was created', host: {architecture: 'x86_64', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', name: 'KOK62KHGPA6', os: {build: '9600.0', family: 'windows', name: 'Windows Server 2012 R2 Datacenter Evaluation', platform: 'windows', version: '6.3'}}, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x85ABBF7\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-3731\n\tAccount Name:\t\tHarry\n\tAccount Domain:\t\tUTMSTACK\n\nAttributes:\n\tSAM Account Name:\tHarry\n\tDisplay Name:\t\tHarry Potter\n\tUser Principal Name:\tHarry@utmstack.demo\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', process_id: 604.0, provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', record_number: '1408545', source_name: 'Microsoft-Windows-Security-Auditing', tags: ['beats_input_codec_plain_applied'], task: 'User Account Management', thread_id: 1796.0}}, es_metadata_id: '6e94be72-d134-41f4-9354-560c8825fcca'}, {'@timestamp': '2021-10-08T17:06:54.425Z', '@version': '1', computer_name: 'KOK62KHGPA6.utmstack.demo', dataSource: 'KOK62KHGPA6', dataType: 'wineventlog', global: {type: 'logx'}, id: '84d0088d-b29c-4a27-bb37-2ece8f9e73ed', logx: {type: 'wineventlog', wineventlog: {beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, event_data: {AccountExpires: '%%1794', AllowedToDelegateTo: '-', DisplayName: 'test', HomeDirectory: '-', HomePath: '-', LogonHours: '%%1793', NewUacValue: '0x11', OldUacValue: '0x0', PasswordLastSet: '%%1794', PrimaryGroupId: '513', PrivilegeList: '-', ProfilePath: '-', SamAccountName: 'test', ScriptPath: '-', SidHistory: '-', SubjectDomainName: 'UTMSTACK', SubjectLogonId: '0x4ac61', SubjectUserName: 'Administrator', SubjectUserSid: 'S-1-5-21-2132650514-2599053231-678728588-500', TargetDomainName: 'UTMSTACK', TargetSid: 'S-1-5-21-2132650514-2599053231-678728588-3729', TargetUserName: 'test', UserAccountControl: '\n\t\t%%2080\n\t\t%%2084', UserParameters: '-', UserPrincipalName: '-', UserWorkstations: '-'}, event_id: 4720.0, event_name: 'A user account was created', host: {architecture: 'x86_64', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', name: 'KOK62KHGPA6', os: {build: '9600.0', family: 'windows', name: 'Windows Server 2012 R2 Datacenter Evaluation', platform: 'windows', version: '6.3'}}, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x4AC61\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-3729\n\tAccount Name:\t\ttest\n\tAccount Domain:\t\tUTMSTACK\n\nAttributes:\n\tSAM Account Name:\ttest\n\tDisplay Name:\t\ttest\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x11\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', process_id: 604.0, provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', record_number: '1276349', source_name: 'Microsoft-Windows-Security-Auditing', tags: ['beats_input_codec_plain_applied'], task: 'User Account Management', thread_id: 1284.0}}, es_metadata_id: '84d0088d-b29c-4a27-bb37-2ece8f9e73ed'}]; diff --git a/frontend/src/app/app.component.html b/frontend/src/app/app.component.html index 44db67ba0..64c4268f1 100644 --- a/frontend/src/app/app.component.html +++ b/frontend/src/app/app.component.html @@ -97,18 +97,6 @@

Getting alert detail

- -

Creating pdf, please wait

- -
diff --git a/frontend/src/app/app.component.ts b/frontend/src/app/app.component.ts index c0b2c976d..a030c473c 100644 --- a/frontend/src/app/app.component.ts +++ b/frontend/src/app/app.component.ts @@ -1,5 +1,5 @@ import {Component, HostListener, OnInit, Renderer2} from '@angular/core'; -import {ActivatedRoute, NavigationEnd, Router} from '@angular/router'; +import {NavigationEnd, Router} from '@angular/router'; import {TranslateService} from '@ngx-translate/core'; import {NgxSpinnerService} from 'ngx-spinner'; import {UtmToastService} from './shared/alert/utm-toast.service'; @@ -12,8 +12,6 @@ import {UtmAppThemeService} from './shared/services/theme/utm-app-theme.service' import {retry} from "rxjs/operators"; import {ApiServiceCheckerService} from "./core/auth/api-checker-service"; import {TimezoneFormatService} from "./shared/services/utm-timezone.service"; -import {parseQueryParamsToFilter} from "./shared/util/query-params-to-filter.util"; -import {LoginService} from "./core/login/login.service"; @Component({ selector: 'app-root', @@ -40,9 +38,7 @@ export class AppComponent implements OnInit { private utmToastService: UtmToastService, private router: Router, private renderer: Renderer2, private apiServiceCheckerService: ApiServiceCheckerService, - private timezoneFormatService: TimezoneFormatService, - private activatedRoute: ActivatedRoute, - private loginService: LoginService) { + private timezoneFormatService: TimezoneFormatService) { this.translate.setDefaultLang('en'); this.menuBehavior.$menu.subscribe(men => { this.menu = men; diff --git a/frontend/src/app/app.constants.ts b/frontend/src/app/app.constants.ts index 21c5c3afa..7495cf977 100644 --- a/frontend/src/app/app.constants.ts +++ b/frontend/src/app/app.constants.ts @@ -13,4 +13,3 @@ export const SERVER_API_URL = environment.SERVER_API_URL + environment.SERVER_AP export const SERVER_API_CONTEXT = environment.SERVER_API_CONTEXT; export const WS_SERVER_API_URL = environment.WEBSOCKET_URL; export const BUILD_TIMESTAMP = environment.BUILD_TIMESTAMP; -export const ACCESS_KEY = 'Utm-Internal-Key'; diff --git a/frontend/src/app/assets-discover/shared/enums/asset-map-filter-field.enum.ts b/frontend/src/app/assets-discover/shared/enums/asset-map-filter-field.enum.ts index 080a49b14..5613c665f 100644 --- a/frontend/src/app/assets-discover/shared/enums/asset-map-filter-field.enum.ts +++ b/frontend/src/app/assets-discover/shared/enums/asset-map-filter-field.enum.ts @@ -1,5 +1,5 @@ /** - * Map filter with field + * Map filter with field, blame to leo to put another name on generic filter prop request param */ export enum AssetMapFilterFieldEnum { OS = 'os', diff --git a/frontend/src/app/blocks/interceptor/auth.interceptor.ts b/frontend/src/app/blocks/interceptor/auth.interceptor.ts index 65c7b11f5..2c85ca4fc 100644 --- a/frontend/src/app/blocks/interceptor/auth.interceptor.ts +++ b/frontend/src/app/blocks/interceptor/auth.interceptor.ts @@ -4,7 +4,7 @@ import {LocalStorageService, SessionStorageService} from 'ngx-webstorage'; import {Observable} from 'rxjs'; -import {ACCESS_KEY, SERVER_API_URL, SESSION_AUTH_TOKEN} from '../../app.constants'; +import {SERVER_API_URL, SESSION_AUTH_TOKEN} from '../../app.constants'; @Injectable() export class AuthInterceptor implements HttpInterceptor { @@ -19,11 +19,8 @@ export class AuthInterceptor implements HttpInterceptor { const sessionToken = this.sessionStorage.retrieve(SESSION_AUTH_TOKEN); const localStorageToken = this.localStorage.retrieve(SESSION_AUTH_TOKEN); const token = sessionToken || localStorageToken; - - const sessionKey = this.sessionStorage.retrieve(ACCESS_KEY); - const localStorageKey = this.localStorage.retrieve(ACCESS_KEY); - const key = sessionKey || localStorageKey; - + // const token = this.localStorage.retrieve(SESSION_AUTH_TOKEN); + // console.log(localStorageToken); if (!!token) { request = request.clone({ setHeaders: { @@ -31,14 +28,6 @@ export class AuthInterceptor implements HttpInterceptor { } }); } - - if (!!key) { - request = request.clone({ - setHeaders: { - 'Utm-Internal-Key': key - } - }); - } return next.handle(request); } } diff --git a/frontend/src/app/compliance/compliance-result-view/compliance-result-view.component.html b/frontend/src/app/compliance/compliance-result-view/compliance-result-view.component.html index f9fe94e34..a200c4c16 100644 --- a/frontend/src/app/compliance/compliance-result-view/compliance-result-view.component.html +++ b/frontend/src/app/compliance/compliance-result-view/compliance-result-view.component.html @@ -30,7 +30,8 @@
Back - {{pdfExport ? 'Generating...' : 'Save to PDF'}} diff --git a/frontend/src/app/compliance/compliance-result-view/compliance-result-view.component.ts b/frontend/src/app/compliance/compliance-result-view/compliance-result-view.component.ts index ae1fe26db..8a7fb4954 100644 --- a/frontend/src/app/compliance/compliance-result-view/compliance-result-view.component.ts +++ b/frontend/src/app/compliance/compliance-result-view/compliance-result-view.component.ts @@ -1,4 +1,4 @@ -import {Component, OnDestroy, OnInit} from '@angular/core'; +import {Component, OnInit} from '@angular/core'; import {ActivatedRoute} from '@angular/router'; import {NgbModal} from '@ng-bootstrap/ng-bootstrap'; import {CompactType, GridsterConfig, GridType} from 'angular-gridster2'; @@ -13,21 +13,13 @@ import {ComplianceTemplateService} from '../shared/services/compliance-template. import {CpReportsService} from '../shared/services/cp-reports.service'; import {ComplianceReportType} from '../shared/type/compliance-report.type'; import {HippaSignaturesType} from '../shared/type/hippa-signatures.type'; -import {ExportPdfService} from '../../shared/services/util/export-pdf.service'; -import {filtersToStringParam} from '../../shared/util/query-params-to-filter.util'; -import {rebuildVisualizationFilterTime} from '../../graphic-builder/shared/util/chart-filter/chart-filter.util'; -import {TimeFilterBehavior} from '../../shared/behaviors/time-filter.behavior'; -import {ElasticFilterType} from '../../shared/types/filter/elastic-filter.type'; -import {NgxSpinnerService} from 'ngx-spinner'; -import {Subject} from 'rxjs'; -import {takeUntil} from 'rxjs/operators'; @Component({ selector: 'app-compliance-result-view', templateUrl: './compliance-result-view.component.html', styleUrls: ['./compliance-result-view.component.scss'] }) -export class ComplianceResultViewComponent implements OnInit, OnDestroy { +export class ComplianceResultViewComponent implements OnInit { reportId: number; report: ComplianceReportType; signatures: HippaSignaturesType[] = []; @@ -64,8 +56,6 @@ export class ComplianceResultViewComponent implements OnInit, OnDestroy { standardId: number; sectionId: number; configSolution: string; - filtersValues: ElasticFilterType[] = []; - destroy$: Subject = new Subject(); constructor(private activeRoute: ActivatedRoute, private cpReportsService: CpReportsService, @@ -73,10 +63,7 @@ export class ComplianceResultViewComponent implements OnInit, OnDestroy { private utmToastService: UtmToastService, private modalService: NgbModal, private complianceTemplateService: ComplianceTemplateService, - private utmRenderVisualization: UtmRenderVisualization, - private timeFilterBehavior: TimeFilterBehavior, - private spinner: NgxSpinnerService, - private exportPdfService: ExportPdfService) { + private utmRenderVisualization: UtmRenderVisualization) { this.activeRoute.queryParams.subscribe((params) => { this.reportId = params[ComplianceParamsEnum.TEMPLATE]; @@ -87,16 +74,6 @@ export class ComplianceResultViewComponent implements OnInit, OnDestroy { ngOnInit() { this.getTemplate(); - - this.timeFilterBehavior.$time - .pipe(takeUntil(this.destroy$)) - .subscribe(time => { - if (time) { - rebuildVisualizationFilterTime({timeFrom: time.from, timeTo: time.to}, this.filtersValues).then(filters => { - this.filtersValues = filters; - }); - } - }); } /** @@ -126,27 +103,12 @@ export class ComplianceResultViewComponent implements OnInit, OnDestroy { }); } } - exportToPdf() { - filtersToStringParam(this.filtersValues).then(queryParams => { - this.spinner.show('buildPrintPDF'); - const params = queryParams !== '' ? '?' + queryParams : ''; - const url = '/dashboard/export-compliance/' + this.reportId + params; - const fileName = this.report.associatedDashboard.name.replace(/ /g, '_'); - this.exportPdfService.getPdf(url, fileName, 'PDF_TYPE_TOKEN').subscribe(response => { - this.spinner.hide('buildPrintPDF').then(() => - this.exportPdfService.handlePdfResponse(response)); - }, error => { - this.spinner.hide('buildPrintPDF').then(() => - this.utmToastService.showError('Error', 'An error occurred while creating a PDF.')); - }); - }); + + get exportToPdf() { + return '/dashboard/export-compliance/' + this.reportId; } + viewSolution(solution: string): void { this.configSolution = solution; } - - ngOnDestroy() { - this.destroy$.next(); - this.destroy$.complete(); - } } diff --git a/frontend/src/app/compliance/compliance-routing.module.ts b/frontend/src/app/compliance/compliance-routing.module.ts index eee4c3646..84674b9d3 100644 --- a/frontend/src/app/compliance/compliance-routing.module.ts +++ b/frontend/src/app/compliance/compliance-routing.module.ts @@ -5,7 +5,6 @@ import {ADMIN_ROLE, USER_ROLE} from '../shared/constants/global.constant'; import {ComplianceCustomViewComponent} from './compliance-custom-view/compliance-custom-view.component'; import {CpStandardManagementComponent} from './compliance-management/cp-standard-management/cp-standard-management.component'; import {ComplianceResultViewComponent} from './compliance-result-view/compliance-result-view.component'; -import {ComplianceScheduleComponent} from './compliance-schedule/compliance-schedule.component'; import {ComplianceTemplatesComponent} from './compliance-templates/compliance-templates.component'; const routes: Routes = [ @@ -33,11 +32,6 @@ const routes: Routes = [ component: CpStandardManagementComponent, data: {authorities: [ADMIN_ROLE]} }, - { - path: 'schedule', - component: ComplianceScheduleComponent, - data: {authorities: [ADMIN_ROLE]} - }, ]; @NgModule({ diff --git a/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.html b/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.html deleted file mode 100644 index 42af537a7..000000000 --- a/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.html +++ /dev/null @@ -1,107 +0,0 @@ -
-
-
Schedules
-
- -
-
-
-
-
-
- - -
-
- - - - - - - - - - - - - - - - - - - - - - - - - -
- Name  - - Schedule  - - Filters  - - Action  -
- - {{ schedule.compliance.associatedDashboard.name}} - - - - {{ getCronExpression(schedule.scheduleString) }} - - - - -
- - - -
-
- -
-
- - -
-
-
-
-
- - -
-
-
-
-
-
diff --git a/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.scss b/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.scss deleted file mode 100644 index e69de29bb..000000000 diff --git a/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.ts b/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.ts deleted file mode 100644 index 5e83886ec..000000000 --- a/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.ts +++ /dev/null @@ -1,167 +0,0 @@ -import {Component, OnDestroy, OnInit} from '@angular/core'; - -import {NgbModal} from '@ng-bootstrap/ng-bootstrap'; -import {Observable, of, Subject} from 'rxjs'; -import {catchError, map, takeUntil, tap} from 'rxjs/operators'; -import {EventDataTypeEnum} from '../../data-management/alert-management/shared/enums/event-data-type.enum'; -import {UtmToastService} from '../../shared/alert/utm-toast.service'; -import {ADMIN_ROLE} from '../../shared/constants/global.constant'; -import {ITEMS_PER_PAGE} from '../../shared/constants/pagination.constants'; -import {SortEvent} from '../../shared/directives/sortable/type/sort-event'; -import {ElasticFilterType} from '../../shared/types/filter/elastic-filter.type'; -import {CpReportBehavior} from '../shared/behavior/cp-report.behavior'; -import {CpStandardBehavior} from '../shared/behavior/cp-standard.behavior'; -import { - UtmComplianceScheduleCreateComponent -} from '../shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component'; -import { - UtmComplianceScheduleDeleteComponent -} from '../shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component'; -import {ComplianceScheduleService} from '../shared/services/compliance-schedule.service'; -import {ComplianceScheduleFilterType} from '../shared/type/compliance-schedule-filter.type'; -import {ComplianceScheduleType} from '../shared/type/compliance-schedule.type'; -import {ComplianceStandardType} from '../shared/type/compliance-standard.type'; -import {CronDescriptionGeneratorService} from "../shared/services/cron-description-generator.service"; - - -@Component({ - selector: 'app-compliance-schedule', - templateUrl: './compliance-schedule.component.html', - styleUrls: ['./compliance-schedule.component.scss'] -}) -export class ComplianceScheduleComponent implements OnInit, OnDestroy { - standard: ComplianceStandardType; - admin = ADMIN_ROLE; - protected readonly ITEMS_PER_PAGE = ITEMS_PER_PAGE; - private requestParams: any; - private sortBy: SortEvent; - searching: any; - checkbox: any; - schedules: any[] = []; - loading = false; - totalItems: any; - page = 1; - itemsPerPage = ITEMS_PER_PAGE; - selected: number[] = []; - protected readonly EventDataTypeEnum = EventDataTypeEnum; - schedules$: Observable; - destroy$: Subject = new Subject(); - - constructor(private modalService: NgbModal, - private cpStandardBehavior: CpStandardBehavior, - private utmToastService: UtmToastService, - private cpReportBehavior: CpReportBehavior, - private complianceScheduleService: ComplianceScheduleService, - private cronDescriptionGeneratorService: CronDescriptionGeneratorService) { - } - - ngOnInit() { - this.requestParams = { - page: this.page - 1, - size: this.itemsPerPage, - sort: this.sortBy, - }; - this.getComplianceScheduleList(); - - this.cpReportBehavior.$reportUpdate - .pipe(takeUntil(this.destroy$)) - .subscribe(update => { - if (update) { - this.getComplianceScheduleList(); - } - }); - } - - newCompliance() { - this.modalService.open(UtmComplianceScheduleCreateComponent, { - centered: true, - size: 'lg', - windowClass: 'cp-schedule-report' - }); - } - - onSearch($event: string | number) { - this.searching = true; - - this.requestParams.page = 0; - this.requestParams['name.contains'] = $event; - this.getComplianceScheduleList(); - } - - getComplianceScheduleList() { - this.loading = true; - this.schedules$ = this.complianceScheduleService.query(this.requestParams) - .pipe( - tap((res) => { - this.totalItems = res.headers.get('X-Total-Count'); - this.schedules = res.body; - this.searching = false; - this.loading = false; - }), - map(response => response.body), - catchError(() => { - this.utmToastService.showError('Error', '"An error occurred while loading report schedules'); - return of([]); - } - )); - } - - loadPage(page: any) { - this.requestParams.page = page - 1; - this.getComplianceScheduleList(); - } - - private onError(res: any) { - this.utmToastService.showErrorResponse('Error', res); - } - - addToSelected(dashboard: any) { - } - - isSelected(schedule: any) { - return false; - } - - viewSchedule(schedule: any) { - } - - editSchedule(schedule: any) { - const modal = this.modalService.open(UtmComplianceScheduleCreateComponent, { - centered: true, - size: 'lg', - windowClass: 'cp-schedule-report' - }); - modal.componentInstance.report = schedule; - modal.componentInstance.reportUpdated.subscribe(updated => { - this.getComplianceScheduleList(); - }); - } - - deleteSchedule(schedule: any) { - const modal = this.modalService.open(UtmComplianceScheduleDeleteComponent, {centered: true}); - modal.componentInstance.complianceSchedule = schedule; - modal.componentInstance.complianceScheduleDeleted.subscribe(deleted => { - this.getComplianceScheduleList(); - }); - } - - getAllFilters(filters: ComplianceScheduleFilterType[]): ElasticFilterType[] { - return filters.reduce((allFilters: ElasticFilterType[], currentDef) => { - return allFilters.concat(currentDef.filterType); - }, []); - } - - getCronExpression(cron: string){ - return this.cronDescriptionGeneratorService.getDescription(cron); - } - - onSort($event: SortEvent) { - this.requestParams.sort = $event.column + ',' + $event.direction; - this.getComplianceScheduleList(); - } - - ngOnDestroy() { - this.destroy$.next(); - this.destroy$.complete(); - } -} diff --git a/frontend/src/app/compliance/compliance.module.ts b/frontend/src/app/compliance/compliance.module.ts index 7b1797c64..2a01e6c10 100644 --- a/frontend/src/app/compliance/compliance.module.ts +++ b/frontend/src/app/compliance/compliance.module.ts @@ -18,12 +18,6 @@ import {ComplianceRoutingModule} from './compliance-routing.module'; import {ComplianceResultParamsComponent} from './compliance-templates/compliance-result-params/compliance-result-params.component'; import {ComplianceTemplatesComponent} from './compliance-templates/compliance-templates.component'; import {ComplianceSharedModule} from './shared/compliance-shared.module'; -import {ComplianceScheduleComponent} from "./compliance-schedule/compliance-schedule.component"; -import { - DashboardFilterCreateComponent -} from "../graphic-builder/dashboard-builder/dashboard-filter-create/dashboard-filter-create.component"; -import {DashboardBuilderModule} from "../graphic-builder/dashboard-builder/dashboard-builder.module"; -import {AlertManagementSharedModule} from "../data-management/alert-management/shared/alert-management-shared.module"; @NgModule({ declarations: [ @@ -31,31 +25,27 @@ import {AlertManagementSharedModule} from "../data-management/alert-management/s ComplianceTemplatesComponent, ComplianceResultParamsComponent, ComplianceCustomViewComponent, - ComplianceScheduleComponent ], - imports: [ - CommonModule, - ComplianceRoutingModule, - RouterModule, - UtmSharedModule, - InfiniteScrollModule, - NgSelectModule, - FormsModule, - LogAnalyzerModule, - NgbModule, - VisualizationSharedModule, - GraphicBuilderSharedModule, - ComplianceManagementModule, - ComplianceSharedModule, - UtmDashboardSharedModule, - DashboardBuilderModule, - NgbCollapseModule, - AlertManagementSharedModule - ], + imports: [ + CommonModule, + ComplianceRoutingModule, + RouterModule, + UtmSharedModule, + InfiniteScrollModule, + NgSelectModule, + FormsModule, + LogAnalyzerModule, + NgbModule, + VisualizationSharedModule, + GraphicBuilderSharedModule, + ComplianceManagementModule, + ComplianceSharedModule, + UtmDashboardSharedModule, + NgbCollapseModule + ], schemas: [NO_ERRORS_SCHEMA, CUSTOM_ELEMENTS_SCHEMA], entryComponents: [ - ComplianceResultParamsComponent, - DashboardFilterCreateComponent], + ComplianceResultParamsComponent], exports: [] }) export class ComplianceModule { diff --git a/frontend/src/app/compliance/shared/compliance-shared.module.ts b/frontend/src/app/compliance/shared/compliance-shared.module.ts index 1e413646f..8084450bb 100644 --- a/frontend/src/app/compliance/shared/compliance-shared.module.ts +++ b/frontend/src/app/compliance/shared/compliance-shared.module.ts @@ -6,21 +6,12 @@ import {NgSelectModule} from '@ng-select/ng-select'; import {UtmDashboardSharedModule} from '../../dashboard/shared/utm-dashboard-shared.module'; import {UtmSharedModule} from '../../shared/utm-shared.module'; import {UtmComplianceCreateComponent} from './components/utm-compliance-create/utm-compliance-create.component'; -import {UtmCpCronEditorComponent} from './components/utm-cp-cron-editor/utm-cp-cron-editor.component'; import {UtmCpStSectionSelectComponent} from './components/utm-cp-st-section-select/utm-cp-st-section-select.component'; import {UtmCpStandardCreateComponent} from './components/utm-cp-standard-create/utm-cp-standard-create.component'; import {UtmCpStandardSectionCreateComponent} from './components/utm-cp-standard-section-create/utm-cp-standard-section-create.component'; import {UtmCpStandardSelectComponent} from './components/utm-cp-standard-select/utm-cp-standard-select.component'; import {UtmReportInfoViewComponent} from './components/utm-report-info-view/utm-report-info-view.component'; import {UtmSaveAsComplianceComponent} from './components/utm-save-as-compliance/utm-save-as-compliance.component'; -import { - UtmComplianceScheduleCreateComponent -} from "./components/utm-compliance-schedule-create/utm-compliance-schedule-create.component"; -import {UtmComplianceSelectComponent} from "./components/utm-compliance-select/utm-compliance-select.component"; -import { - UtmComplianceScheduleDeleteComponent -} from "./components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component"; - @NgModule({ declarations: [ @@ -30,11 +21,7 @@ import { UtmCpStandardCreateComponent, UtmCpStandardSectionCreateComponent, UtmReportInfoViewComponent, - UtmComplianceCreateComponent, - UtmComplianceScheduleCreateComponent, - UtmCpCronEditorComponent, - UtmComplianceSelectComponent, - UtmComplianceScheduleDeleteComponent + UtmComplianceCreateComponent ], imports: [ CommonModule, @@ -52,9 +39,7 @@ import { UtmCpStSectionSelectComponent, UtmCpStandardCreateComponent, UtmCpStandardSectionCreateComponent, - UtmComplianceCreateComponent, - UtmComplianceScheduleCreateComponent, - UtmComplianceScheduleDeleteComponent + UtmComplianceCreateComponent ], exports: [ UtmSaveAsComplianceComponent, @@ -62,9 +47,7 @@ import { UtmCpStSectionSelectComponent, UtmCpStandardCreateComponent, UtmCpStandardSectionCreateComponent, - UtmReportInfoViewComponent, - UtmComplianceScheduleCreateComponent, - UtmComplianceScheduleDeleteComponent + UtmReportInfoViewComponent ] }) export class ComplianceSharedModule { diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-create/utm-compliance-create.component.scss b/frontend/src/app/compliance/shared/components/utm-compliance-create/utm-compliance-create.component.scss index 94da32974..57f116164 100644 --- a/frontend/src/app/compliance/shared/components/utm-compliance-create/utm-compliance-create.component.scss +++ b/frontend/src/app/compliance/shared/components/utm-compliance-create/utm-compliance-create.component.scss @@ -4,7 +4,7 @@ .step-container { display: flex; align-items: center; - justify-content: space-between; + justify-content: space-around; width: 100%; position: relative; @@ -45,9 +45,8 @@ .step-link { height: 1px; background-color: #7777; - width: 72%; + width: 50%; top: 33px; - left: 16%; position: absolute; z-index: 0; } diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.html b/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.html deleted file mode 100644 index 26ff082cc..000000000 --- a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.html +++ /dev/null @@ -1,71 +0,0 @@ - -
-
-
-
- - Compliance report select - -
- -
-
-
-
- - Schedule config - -
- -
-
-
-
-
- - -
-
-
-
-
-
- - - Dashbaoards filters - - -
-
-
- -
-
-
-
-
- - - - -
-
- diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.scss b/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.scss deleted file mode 100644 index 94da32974..000000000 --- a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.scss +++ /dev/null @@ -1,55 +0,0 @@ -@import "../../../../../assets/styles/theme"; -@import "../../../../../assets/styles/var"; - -.step-container { - display: flex; - align-items: center; - justify-content: space-between; - width: 100%; - position: relative; - - .step { - display: flex; - flex-direction: column; - justify-content: center; - align-items: center; - z-index: 1; - - .round-indicator { - width: 30px; - height: 30px; - border-radius: 50%; - display: flex; - align-items: center; - justify-content: center; - color: #ffffff; - - i { - font-size: 11px; - } - } - - .step-active { - background-color: $blue-scroll; - } - - .step-inactive { - background-color: $grey-color; - } - - .step-success { - background-color: $success-color !important; - } - } - - .step-link { - height: 1px; - background-color: #7777; - width: 72%; - top: 33px; - left: 16%; - position: absolute; - z-index: 0; - } - -} diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.ts b/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.ts deleted file mode 100644 index 917063e3c..000000000 --- a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-create/utm-compliance-schedule-create.component.ts +++ /dev/null @@ -1,222 +0,0 @@ -import {Component, EventEmitter, Input, OnDestroy, OnInit, Output} from '@angular/core'; -import {NgbActiveModal, NgbModal} from '@ng-bootstrap/ng-bootstrap'; -import {Subject} from "rxjs"; -import {UtmToastService} from '../../../../shared/alert/utm-toast.service'; -import {DashboardBehavior} from '../../../../shared/behaviors/dashboard.behavior'; -import {UtmDashboardType} from '../../../../shared/chart/types/dashboard/utm-dashboard.type'; -import { - ElasticFilterDefaultTime -} from '../../../../shared/components/utm/filters/elastic-filter-time/elastic-filter-time.component'; -import {ChangeFilterValueService} from '../../../../shared/components/utm/filters/services/change-filter-value.service'; -import {FILTER_OPERATORS} from '../../../../shared/constants/filter-operators.const'; -import {ElasticOperatorsEnum} from '../../../../shared/enums/elastic-operators.enum'; -import {DataNatureTypeEnum, NatureDataPrefixEnum} from '../../../../shared/enums/nature-data.enum'; -import {DashboardFilterType} from '../../../../shared/types/filter/dashboard-filter.type'; -import {ElasticFilterType} from '../../../../shared/types/filter/elastic-filter.type'; -import {OperatorsType} from '../../../../shared/types/filter/operators.type'; -import {UtmIndexPattern} from '../../../../shared/types/index-pattern/utm-index-pattern'; -import {UtmFieldType} from '../../../../shared/types/table/utm-field.type'; -import {filtersWithPatternToStringParam -} from '../../../../shared/util/query-params-to-filter.util'; -import {CpReportBehavior} from '../../behavior/cp-report.behavior'; -import {ComplianceScheduleService} from '../../services/compliance-schedule.service'; -import {ComplianceReportType} from '../../type/compliance-report.type'; -import {ComplianceScheduleFilterType} from '../../type/compliance-schedule-filter.type'; -import {ComplianceScheduleType} from '../../type/compliance-schedule.type'; -import {takeUntil} from "rxjs/operators"; - -@Component({ - selector: 'app-utm-compliance-schedule-create', - templateUrl: './utm-compliance-schedule-create.component.html', - styleUrls: ['./utm-compliance-schedule-create.component.scss'] -}) -export class UtmComplianceScheduleCreateComponent implements OnInit, OnDestroy { - @Input() report: ComplianceScheduleType; - @Output() reportCreated = new EventEmitter(); - @Output() reportUpdated = new EventEmitter(); - dataNature: DataNatureTypeEnum = DataNatureTypeEnum.EVENT; - step = 1; - stepCompleted: number[] = []; - creating = false; - viewSection = false; - standardSectionId: number; - operators: OperatorsType[] = FILTER_OPERATORS; - operatorEnum = ElasticOperatorsEnum; - solution = ''; - cron = '* * * * * *'; - reportId: number; - filters: DashboardFilterType[]; - filtersTypes: ElasticFilterType[] = []; - page = 1; - private sortBy = NatureDataPrefixEnum.TIMESTAMP + ',' + 'desc'; - patterns: UtmIndexPattern[]; - defaultTime: ElasticFilterDefaultTime = new ElasticFilterDefaultTime('now-24h', 'now'); - pattern: UtmIndexPattern; - queryParams: any; - fields: UtmFieldType[] = []; - filterDef: ComplianceScheduleFilterType[]; - dashboard: UtmDashboardType; - onDestroy$: Subject = new Subject(); - - constructor(private complianceScheduleService: ComplianceScheduleService, - public activeModal: NgbActiveModal, - private cpReportBehavior: CpReportBehavior, - private utmToastService: UtmToastService, - private changeFilterValueService: ChangeFilterValueService, - private dashboardBehavior: DashboardBehavior, - public modalService: NgbModal) { - } - - ngOnInit() { - const req = { - page: 0, - size: 1000, - sort: 'id,asc', - 'isActive.equals': true, - }; - - if (this.report) { - this.solution = this.report.compliance.configSolution; - this.viewSection = true; - this.standardSectionId = this.report.compliance.standardSectionId; - this.reportId = this.report.id; - this.cron = this.report.scheduleString; - this.filterDef = this.report.filterDef; - this.filterDef.forEach( f => this.addFilterType({indexPattern: f.indexPattern, filter: f.filterType})); - } - - this.dashboardBehavior.$filterDashboard - .pipe(takeUntil(this.onDestroy$)) - .subscribe(data => { - if (data && this.step === 2) { - this.addFilterType(data); - } - }); - } - - backStep() { - this.step -= 1; - this.stepCompleted.pop(); - } - - nextStep() { - this.stepCompleted.push(this.step); - this.step += 1; - if (this.step === 2 && this.report) { - this.getAllFilters().forEach(f => { - this.changeFilterValueService.changeSelectedValue({field: f.field, value: f.value}) - }); - } - } - - isCompleted(step: number) { - return this.stepCompleted.findIndex(value => value === step) !== -1; - } - - createCompliance() { - filtersWithPatternToStringParam(this.filtersTypes).then(queryParams => { - this.creating = true; - const reportCompliance: ComplianceScheduleType = { - complianceId: this.reportId, - filterDef: this.convertToFilterDefs(), - scheduleString: this.cron, - urlWithParams: `/dashboard/export-compliance/${this.reportId}?${queryParams}` - }; - if (this.report) { - reportCompliance.id = this.report.id; - this.complianceScheduleService.update(reportCompliance) - .pipe(takeUntil(this.onDestroy$)) - .subscribe(() => { - this.utmToastService.showSuccessBottom('Compliance report edited successfully'); - this.filtersTypes = []; - this.activeModal.close(); - this.reportUpdated.emit('edited'); - }, error1 => { - this.creating = false; - this.utmToastService.showError('Error', 'Error editing compliance report'); - }); - } else { - this.complianceScheduleService.create(reportCompliance) - .pipe(takeUntil(this.onDestroy$)) - .subscribe(() => { - this.utmToastService.showSuccessBottom('Compliance report created successfully'); - this.filtersTypes = []; - this.activeModal.close(); - this.cpReportBehavior.$reportUpdate.next('update'); - this.reportCreated.emit('created'); - }, error1 => { - this.creating = false; - this.utmToastService.showError('Error', 'Error creating compliance report'); - }); - } - }); - } - - onDashboardSelected($event: ComplianceReportType) { - this.dashboard = $event.associatedDashboard; - this.filters = JSON.parse(this.dashboard.filters); - this.reportId = $event.id; - } - - private onError(res: any) { - this.utmToastService.showErrorResponse('Error', res); - } - - getAllFilters(): ElasticFilterType[] { - return this.report.filterDef.reduce((allFilters: ElasticFilterType[], currentDef) => { - return allFilters.concat(currentDef.filterType); - }, []); - } - - convertToFilterDefs() { - const filterDefs: ComplianceScheduleFilterType[] = []; - - this.filtersTypes.forEach(filterType => { - const existingFilterDef = filterDefs.find(def => def.indexPattern === filterType.pattern); - - if (existingFilterDef) { - existingFilterDef.filterType.push(filterType); - } else { - filterDefs.push({ - indexPattern: filterType.pattern, - filterType: [filterType] - }); - } - }); - - return filterDefs; - } - - addFilterType(filter: any) { - if (this.filtersTypes.length > 0) { - const filterType = this.filtersTypes.find(f => - f.field === filter.filter[0].field && - f.operator === filter.filter[0].operator && - f.pattern === filter.indexPattern && - f.value !== filter.filter[0].value); - - if (filterType) { - filterType.value = filter.filter[0].value; - } else { - this.filtersTypes.push({ - pattern: filter.indexPattern, - value: filter.filter[0].value, - operator: filter.filter[0].operator, - field: filter.filter[0].field - }); - } - } else { - this.filtersTypes.push({ - pattern: filter.indexPattern, - value: filter.filter[0].value, - operator: filter.filter[0].operator, - field: filter.filter[0].field - }); - } - } - - ngOnDestroy() { - this.onDestroy$.next(); - this.onDestroy$.complete(); - } -} diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.html b/frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.html deleted file mode 100644 index 1a5dc4581..000000000 --- a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.html +++ /dev/null @@ -1,17 +0,0 @@ - -
-
- Are you sure that you want to delete this schedule to {{complianceSchedule.compliance.associatedDashboard.name}}.? -
-
- - -
-
diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.scss b/frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.scss deleted file mode 100644 index e69de29bb..000000000 diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.ts b/frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.ts deleted file mode 100644 index 74a6a89ad..000000000 --- a/frontend/src/app/compliance/shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component.ts +++ /dev/null @@ -1,38 +0,0 @@ -import {Component, EventEmitter, Input, OnInit, Output} from '@angular/core'; -import {NgbActiveModal} from '@ng-bootstrap/ng-bootstrap'; -import {UtmToastService} from '../../../../shared/alert/utm-toast.service'; -import {NavBehavior} from '../../../../shared/behaviors/nav.behavior'; -import {ComplianceScheduleService} from '../../services/compliance-schedule.service'; - - -@Component({ - selector: 'app-dashboard-delete', - templateUrl: './utm-compliance-schedule-delete.component.html', - styleUrls: ['./utm-compliance-schedule-delete.component.scss'] -}) -export class UtmComplianceScheduleDeleteComponent implements OnInit { - @Input() complianceSchedule: any; - @Output() complianceScheduleDeleted = new EventEmitter(); - - constructor(public activeModal: NgbActiveModal, - private complianceScheduleService: ComplianceScheduleService, - private utmToastService: UtmToastService, - private navBehavior: NavBehavior) { - } - - ngOnInit() { - } - - deleteDashboard() { - this.complianceScheduleService.delete(this.complianceSchedule.id) - .subscribe(() => { - this.utmToastService.showSuccessBottom('Schedule Compliance deleted successfully'); - this.activeModal.close(); - this.navBehavior.$nav.next(true); - this.complianceScheduleDeleted.emit('deleted'); - }, () => { - this.utmToastService.showError('Error deleting schedule compliance', - 'Error deleting dashboard, please check your network and try again'); - }); - } -} diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.html b/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.html deleted file mode 100644 index 9447db4a3..000000000 --- a/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.html +++ /dev/null @@ -1,96 +0,0 @@ -
-
- - Selected:  - - {{report.associatedDashboard.name}} - - -
- - -
-
- - -
-
-
- - - - - - - - - - - - - - - - -
-
- - - {{report.associatedDashboard.name}} - - - - -
-
- -
-
- - -
-
-
-
-
- -
-
-
diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.scss b/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.scss deleted file mode 100644 index e69de29bb..000000000 diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.ts b/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.ts deleted file mode 100644 index 5f91153e0..000000000 --- a/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.ts +++ /dev/null @@ -1,137 +0,0 @@ -import {HttpResponse} from '@angular/common/http'; -import {Component, EventEmitter, Input, OnInit, Output} from '@angular/core'; -import {UtmToastService} from '../../../../shared/alert/utm-toast.service'; -import {SortEvent} from '../../../../shared/directives/sortable/type/sort-event'; -import {ComplianceScheduleService} from '../../services/compliance-schedule.service'; -import {CpReportsService} from '../../services/cp-reports.service'; -import {CpStandardSectionService} from '../../services/cp-standard-section.service'; -import {CpStandardService} from '../../services/cp-standard.service'; -import {ComplianceReportType} from '../../type/compliance-report.type'; -import {ComplianceScheduleType} from '../../type/compliance-schedule.type'; -import {ComplianceStandardSectionType} from '../../type/compliance-standard-section.type'; -import {ComplianceStandardType} from '../../type/compliance-standard.type'; - -@Component({ - selector: 'app-utm-compliance-select', - templateUrl: './utm-compliance-select.component.html', - styleUrls: ['./utm-compliance-select.component.scss'] -}) -export class UtmComplianceSelectComponent implements OnInit { - @Input() idReport: number; - @Output() reportSelected = new EventEmitter(); - private requestParams: any; - private sortBy: SortEvent; - report: ComplianceReportType; - standards: ComplianceStandardType[] = []; - standard: number; - solution: string; - standardSections: ComplianceStandardSectionType[] = []; - section: number; - loading = true; - totalItems: any; - page = 1; - itemsPerPage = 10; - complianceReports: ComplianceReportType[] = []; - searching = false; - - constructor(private cpReportsService: CpReportsService, - private utmToastService: UtmToastService, - private cpStandardService: CpStandardService, - private cpStandardSectionService: CpStandardSectionService, - private complianceScheduleService: ComplianceScheduleService) {} - - ngOnInit() { - this.requestParams = { - page: this.page - 1, - size: this.itemsPerPage, - sort: this.sortBy, - 'name.contains': null - }; - this.getStandardList(); - } - - onSortBy($event) { - } - - getSelectedDashboard(id: number) { - this.complianceScheduleService.find(id).subscribe(response => { - const report: ComplianceScheduleType = response.body; - this.selectDashboard(response.body.compliance); - }); - } - - loadPage(page: any) { - this.requestParams.page = page - 1; - this.getDashboardList(); - } - - getDashboardList() { - const query = { - page: this.page - 1, - size: 1000, - sort: 'id,asc', - 'standardSectionId.equals': this.section, - 'configSolution.contains': this.solution - }; - this.cpReportsService.query(query).subscribe( - (res: HttpResponse) => this.onSuccess(res.body, res.headers), - (res: HttpResponse) => this.onError(res.body) - ); - } - - getSections() { - const query = { - page: this.page - 1, - size: 1000, - sort: 'id,asc', - 'standardId.equals': this.standard, - 'standardSectionName.contains': this.solution - }; - this.cpStandardSectionService.query(query).subscribe(response => { - this.standardSections = response.body; - this.section = this.standardSections[0].id; - this.getDashboardList(); - if (this.idReport) { - this.getSelectedDashboard(this.idReport); - } - }); - } - - getStandardList() { - this.cpStandardService.query({page: 0, size: 1000}).subscribe( - (res: HttpResponse) => { - this.standards = res.body; - this.standard = this.standards[0].id; - this.getSections(); - }, - (res: HttpResponse) => this.onError(res) - ); - } - - onSearchDashboard($event: string) { - this.searching = true; - this.solution = $event; - this.getDashboardList(); - } - - selectDashboard(report: ComplianceReportType) { - this.report = report; - this.idReport = report.id; - this.reportSelected.emit(report); - } - - private onSuccess(data, headers) { - this.totalItems = headers.get('X-Total-Count'); - this.complianceReports = data; - this.loading = false; - this.searching = false; - } - - private onError(res: any) { - this.utmToastService.showErrorResponse('Error', res); - } - - filterBySelect($event: {}, source: string) { - this.getSections(); - } -} diff --git a/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/models/time-frequency.ts b/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/models/time-frequency.ts deleted file mode 100644 index 3b6fde147..000000000 --- a/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/models/time-frequency.ts +++ /dev/null @@ -1,31 +0,0 @@ -export enum TimeFrequency { - Daily = 'Day', - Weekly = 'Week', - Monthly = 'Month', - Yearly = 'Year' -} - -export enum DaysOfWeek { - Sunday = 'SUN', - Monday = 'MON', - Tuesday = 'TUE', - Wednesday = 'WED', - Thursday = 'THU', - Friday = 'FRI', - Saturday = 'SAT', -} - -export enum MonthsOfYear { - January = '1', - February = '2', - March = '3', - April = '4', - May = '5', - June = '6', - July = '7', - August = '8', - September = '9', - October = '10', - November = '11', - December = '12' -} diff --git a/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.html b/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.html deleted file mode 100644 index 0297ceb4a..000000000 --- a/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.html +++ /dev/null @@ -1,67 +0,0 @@ - -
-
-
- - -
-
-
-
- - -
-
-
-
- - -
-
-
-
- - -
-
-
-
- - - -
-
-
- - -
-
- - {{day[0]}} - -
-
- - - diff --git a/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.scss b/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.scss deleted file mode 100644 index 0cfe0c7b8..000000000 --- a/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.scss +++ /dev/null @@ -1,46 +0,0 @@ - -/*.margin-bottom{ - margin-bottom: 1.8em; -} - -@media (min-width: 576px) { - .flex-basics-30 { - flex-basis: 32%; - } - - .flex-basics-50 { - flex-basis: 48%; - } -}*/ - -.badge.badge-lg.badge-circle { - width: 2rem; - height: 2rem; -} -.badge.badge-lg { - min-width: 2rem; - font-size: 1rem; -} -.badge.badge-circle { - border-radius: 50%; - padding: 0; - min-width: unset; - width: 1.75rem; -} -.badge.badge-circle, .badge.badge-square { - display: inline-flex; - align-items: center; - justify-content: center; - height: 1.75rem; - min-width: 1.75rem; - padding: 0 0.1rem; - line-height: 0; -} -.badge-primary.badge-outline { - border: 1px solid #007bff; - color: #007bff; - background-color: transparent; -} -.gap-5 { - gap: 1.25rem !important; -} diff --git a/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.ts b/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.ts deleted file mode 100644 index 4723811f0..000000000 --- a/frontend/src/app/compliance/shared/components/utm-cp-cron-editor/utm-cp-cron-editor.component.ts +++ /dev/null @@ -1,159 +0,0 @@ -import {Component, forwardRef} from '@angular/core'; -import {ControlValueAccessor, NG_VALUE_ACCESSOR} from '@angular/forms'; -import {DaysOfWeek, MonthsOfYear, TimeFrequency} from './models/time-frequency'; - -const dailyFrequencies: number[] = Array.from({length: 29}, (_, index) => index + 1); -const monthlyFrequencies: number[] = Array.from({length: 12}, (_, index) => index + 1); - -export const CUSTOM_CONTROL_VALUE_ACCESSOR: any = { - provide: NG_VALUE_ACCESSOR, - useExisting: forwardRef(() => UtmCpCronEditorComponent), - multi: true, -}; - -@Component({ - selector: 'app-utm-cp-cron-editor', - templateUrl: './utm-cp-cron-editor.component.html', - styleUrls: ['./utm-cp-cron-editor.component.scss'], - providers: [CUSTOM_CONTROL_VALUE_ACCESSOR], -}) -export class UtmCpCronEditorComponent implements ControlValueAccessor { - - disabled = false; - - public readonly TimeFrequency = TimeFrequency; - public readonly DaysOfWeek = DaysOfWeek; - - months: { name: string, value: string }[] = Object.keys(MonthsOfYear).map(key => ({ - name: key, - value: MonthsOfYear[key as keyof typeof MonthsOfYear] - })); - - timeFrequency: TimeFrequency = TimeFrequency.Daily; - dailyFrequency = 1; - monthlyFrequency = 1; - yearlyFrequency = this.months[0].value; - - startDate = new Date(); - endDate: any; - time = {hour: 0, minute: 0}; - days: string[] = []; - cmdCron: string; - onChange: (value: string) => void = () => {}; - onTouched = () => {}; - - set cronSentence(cmd: string) { - this.cmdCron = cmd; - } - - get frequenciesByType() { - if (this.timeFrequency === TimeFrequency.Daily) { - return dailyFrequencies; - } - return monthlyFrequencies; - } - - get monthlyValue() { - if (this.timeFrequency === TimeFrequency.Yearly) { - return this.yearlyFrequency; - } else if (this.timeFrequency === TimeFrequency.Weekly || this.timeFrequency === TimeFrequency.Daily) { - return '*'; - } - return `*/${this.monthlyFrequency}`; - } - - getTimeEnumValues(obj: any): string[] { - return Object.values(obj) as string[]; - } - - getTime(position: number): string { - /*const formatTime = this.convertTo24Format(this.time);*/ - const time = position === 1 ? this.time.minute : this.time.hour; - return this.time.hour === 0 && this.time.minute === 0 ? '*' : time.toString(); - } - - getDay() { - return this.timeFrequency === TimeFrequency.Daily && this.dailyFrequency !== 0 ? `*/${this.dailyFrequency}` : '*'; - } - - getDays() { - return this.days.length > 0 ? this.days.join(',') : '*'; - } - - isSelected(day: string): boolean { - return this.days.includes(this.getIndexDay(day)); - } - - setDays(day: string) { - if (this.isSelected(day)) { - this.days.splice(this.days.indexOf(day), 1); - } else { - this.days.push(this.getIndexDay(day)); - } - this.emitChange(); - } - - onChangeFrequency() { - if (this.timeFrequency === TimeFrequency.Weekly) { - this.days = ['0']; - } - if (this.timeFrequency !== TimeFrequency.Weekly) { - this.days = []; - } - if (this.timeFrequency === TimeFrequency.Weekly || this.timeFrequency === TimeFrequency.Yearly) { - this.dailyFrequency = 0; - } - this.emitChange(); - } - registerOnChange(fn: any): void { - this.onChange = fn; - } - - registerOnTouched(fn: any): void { - this.onTouched = fn; - } - - writeValue(cron: string): void { - if (cron != null && cron !== '' && cron !== undefined) { - const cronParts = cron.split(' '); - if (cronParts[1] !== '*') { - this.time = { - hour: Number(cronParts[1]), - minute: Number(cronParts[2]) - }; - } - - if (cronParts[3] !== '*') { - this.timeFrequency = TimeFrequency.Daily; - this.dailyFrequency = Number(cronParts[3].split('*/')[1]); - } - - if (cronParts[4] !== '*') { - if (Number(cronParts[4])) { - this.timeFrequency = TimeFrequency.Yearly; - this.yearlyFrequency = this.months[Number(cronParts[4]) - 1].value; - } else { - this.timeFrequency = TimeFrequency.Monthly; - this.monthlyFrequency = Number(cronParts[4].split('*/')[1]); - } - } - - if (cronParts[5] !== '*') { - this.timeFrequency = TimeFrequency.Weekly; - this.days = []; - cronParts[5].split(',').forEach(value => { - this.days.push(value); - }); - } - - this.cronSentence = cron; - } - } - getIndexDay(day: string) { - return Object.values(DaysOfWeek).findIndex(value => value === day).toString(); - } - emitChange() { - this.cmdCron = `* ${this.getTime(1)} ${this.getTime(0)} ${this.getDay()} ${this.monthlyValue} ${this.getDays()}`; - this.onChange(this.cmdCron); - } -} diff --git a/frontend/src/app/compliance/shared/services/compliance-schedule.service.ts b/frontend/src/app/compliance/shared/services/compliance-schedule.service.ts deleted file mode 100644 index dc211786d..000000000 --- a/frontend/src/app/compliance/shared/services/compliance-schedule.service.ts +++ /dev/null @@ -1,44 +0,0 @@ -import {HttpClient, HttpResponse} from '@angular/common/http'; -import {Injectable} from '@angular/core'; -import {Observable} from 'rxjs'; -import {SERVER_API_URL} from '../../../app.constants'; -import {createRequestOption} from '../../../shared/util/request-util'; -import {ComplianceScheduleType} from '../type/compliance-schedule.type'; - - -@Injectable({ - providedIn: 'root' -}) -export class ComplianceScheduleService { - public resourceUrl = SERVER_API_URL + 'api'; - - constructor(private http: HttpClient) { - } - - create(complianceSchedule: ComplianceScheduleType): Observable> { - return this.http.post(`${this.resourceUrl}/compliance-report-schedules`, - complianceSchedule, {observe: 'response'}); - } - - update(alert: ComplianceScheduleType): Observable> { - return this.http.put(`${this.resourceUrl}/compliance-report-schedules`, - alert, {observe: 'response'}); - } - - find(id: number): Observable> { - return this.http.get(`${this.resourceUrl}/compliance-report-schedules-by-id/${id}`, - {observe: 'response'}); - } - - query(req?: any): Observable> { - const options = createRequestOption(req); - return this.http.get(`${this.resourceUrl}/compliance-report-schedules-by-user`, { - params: options, observe: 'response' - }); - } - - delete(id: string): Observable> { - return this.http.delete(`${this.resourceUrl}/compliance-report-schedules/${id}`, - {observe: 'response'}); - } -} diff --git a/frontend/src/app/compliance/shared/services/cron-description-generator.service.ts b/frontend/src/app/compliance/shared/services/cron-description-generator.service.ts deleted file mode 100644 index c2454c285..000000000 --- a/frontend/src/app/compliance/shared/services/cron-description-generator.service.ts +++ /dev/null @@ -1,139 +0,0 @@ -import {Injectable} from '@angular/core'; -import {TimeFrequency} from '../components/utm-cp-cron-editor/models/time-frequency'; - -@Injectable({ - providedIn: 'root' -}) - -export class CronDescriptionGeneratorService { - - private static dayOfWeekMap: Record = { - '0': 'Sunday', - '1': 'Monday', - '2': 'Tuesday', - '3': 'Wednesday', - '4': 'Thursday', - '5': 'Friday', - '6': 'Saturday' - }; - - private static monthMap: Record = { - '1': 'January', - '2': 'February', - '3': 'March', - '4': 'April', - '5': 'May', - '6': 'June', - '7': 'July', - '8': 'August', - '9': 'September', - '10': 'October', - '11': 'November', - '12': 'December' - }; - - private cronFields: any; - private timeFrequency: TimeFrequency; - private frequency: string; - - - private mapDayOfWeek(dayOfWeek: string): string { - return CronDescriptionGeneratorService.dayOfWeekMap[dayOfWeek] || dayOfWeek; - } - - private mapMonth(month: string): string { - return CronDescriptionGeneratorService.monthMap[month] || month; - } - - private checkCronString(cronString: string) { - const fields = cronString.split(' '); - - if (fields.length !== 6) { - throw new Error('Invalid cron'); - } - - this.cronFields = { - seconds: fields[0], - minutes: fields[1], - hours: fields[2], - dayOfMonth: fields[3], - month: fields[4], - dayOfWeek: fields[5] - }; - - if (fields[3] !== '*') { - const day = fields[3].split('*/'); - if (Number(day[1])) { - this.timeFrequency = TimeFrequency.Daily; - this.frequency = day[1]; - } - } - - if (fields[4] !== '*') { - if (Number(fields[4])) { - this.timeFrequency = TimeFrequency.Yearly; - this.frequency = fields[4]; - } else { - const day = fields[4].split('*/'); - if (Number(day[1])) { - this.timeFrequency = TimeFrequency.Monthly; - this.frequency = day[1]; - } - } - } - - if (fields[5] !== '*') { - if (Number(fields[5]) || fields[5].split(',').length > 0) { - this.timeFrequency = TimeFrequency.Weekly; - } - } - - } - - public getDescription(cronString: string): string { - - this.checkCronString(cronString); - return this.getResults(); - - } - - getHour() { - if (this.cronFields.minutes === '*') { - return 'at every minute'; - } else if (Number(this.cronFields.minutes) && Number(this.cronFields.hours)) { - return `at ${this.cronFields.hours}:${this.cronFields.minutes}`; - } else { - return ''; - } - } - - getDaysOfWeek() { - if (this.cronFields.dayOfWeek === '*') { - return ''; - } else if (Number(this.cronFields.dayOfWeek)) { - return `on ${CronDescriptionGeneratorService.dayOfWeekMap[this.cronFields.dayOfWeek]}`; - } else { - const days = this.cronFields.dayOfWeek.split(','); - return `on ${days.map((day: string) => CronDescriptionGeneratorService.dayOfWeekMap[day]).join(',')}`; - } - } - private getResults() { - - let freq = this.timeFrequency.toLowerCase(); - const hours = this.getHour(); - - if (this.timeFrequency === TimeFrequency.Daily || this.timeFrequency === TimeFrequency.Monthly) { - if (Number(this.frequency) > 1) { - freq = this.timeFrequency.toLowerCase().concat('s'); - } - - return `Runs every ${this.frequency} ${freq} ${hours}`; - - } else if (this.timeFrequency === TimeFrequency.Weekly) { - return `Runs weekly ${this.getDaysOfWeek()} ${hours}`; - } else { - return `Runs yearly on ${CronDescriptionGeneratorService.monthMap[this.cronFields.month]} ${hours}`; - } - } - -} diff --git a/frontend/src/app/compliance/shared/type/compliance-schedule-filter.type.ts b/frontend/src/app/compliance/shared/type/compliance-schedule-filter.type.ts deleted file mode 100644 index 9b1ecd9bf..000000000 --- a/frontend/src/app/compliance/shared/type/compliance-schedule-filter.type.ts +++ /dev/null @@ -1,6 +0,0 @@ -import {ElasticFilterType} from '../../../shared/types/filter/elastic-filter.type'; - -export class ComplianceScheduleFilterType { - indexPattern: string; - filterType: ElasticFilterType[]; -} diff --git a/frontend/src/app/compliance/shared/type/compliance-schedule.type.ts b/frontend/src/app/compliance/shared/type/compliance-schedule.type.ts deleted file mode 100644 index e0ddbc63d..000000000 --- a/frontend/src/app/compliance/shared/type/compliance-schedule.type.ts +++ /dev/null @@ -1,13 +0,0 @@ -import {ElasticFilterType} from '../../../shared/types/filter/elastic-filter.type'; -import {ComplianceReportType} from './compliance-report.type'; -import {ComplianceScheduleFilterType} from "./compliance-schedule-filter.type"; - -export class ComplianceScheduleType { - id?: number; - scheduleString: string; - urlWithParams?: string; - filters?: string; - filterDef: ComplianceScheduleFilterType[]; - compliance?: ComplianceReportType; - complianceId: number; -} diff --git a/frontend/src/app/core/auth/auth-jwt.service.ts b/frontend/src/app/core/auth/auth-jwt.service.ts index 1f0429b8f..7ffad1ece 100644 --- a/frontend/src/app/core/auth/auth-jwt.service.ts +++ b/frontend/src/app/core/auth/auth-jwt.service.ts @@ -5,7 +5,7 @@ import {LocalStorageService, SessionStorageService} from 'ngx-webstorage'; import {Observable} from 'rxjs'; import {map} from 'rxjs/operators'; -import {ACCESS_KEY, COOKIE_AUTH_TOKEN, SERVER_API_URL, SESSION_AUTH_TOKEN} from '../../app.constants'; +import {COOKIE_AUTH_TOKEN, SERVER_API_URL, SESSION_AUTH_TOKEN} from '../../app.constants'; import {UtmToastService} from '../../shared/alert/utm-toast.service'; import {CSRFService} from './csrf.service'; @@ -56,27 +56,12 @@ export class AuthServerProvider { } } - loginWithAccessKey(jwt, rememberMe) { - if (jwt) { - this.storeAccessKey(jwt); - return Promise.resolve(jwt); - } else { - return Promise.reject('auth-jwt-service Promise reject '); // Put appropriate error message here - } - } - storeAuthenticationToken(jwt) { this.$localStorage.store(SESSION_AUTH_TOKEN, jwt); this.$sessionStorage.store(SESSION_AUTH_TOKEN, jwt); this.$cookie.setCookie(COOKIE_AUTH_TOKEN, jwt); } - storeAccessKey(key) { - this.$localStorage.store(ACCESS_KEY, key); - this.$sessionStorage.store(ACCESS_KEY, key); - this.$cookie.setCookie(ACCESS_KEY, key); - } - logout(): Observable { return new Observable(observer => { this.$localStorage.clear(SESSION_AUTH_TOKEN); diff --git a/frontend/src/app/core/login/login.service.ts b/frontend/src/app/core/login/login.service.ts index b5a4bd7ad..084c7a5e6 100644 --- a/frontend/src/app/core/login/login.service.ts +++ b/frontend/src/app/core/login/login.service.ts @@ -33,10 +33,6 @@ export class LoginService { return this.authServerProvider.loginWithToken(jwt, rememberMe); } - loginWithKey(key, rememberMe) { - return this.authServerProvider.loginWithAccessKey(key, rememberMe); - } - logout() { this.authServerProvider.logout().subscribe(() => { this.accountService.authenticate(null); diff --git a/frontend/src/app/dashboard/compliance-export/compliance-export.component.ts b/frontend/src/app/dashboard/compliance-export/compliance-export.component.ts index e156714f9..69fb51c86 100644 --- a/frontend/src/app/dashboard/compliance-export/compliance-export.component.ts +++ b/frontend/src/app/dashboard/compliance-export/compliance-export.component.ts @@ -8,19 +8,11 @@ import {CpReportsService} from '../../compliance/shared/services/cp-reports.serv import {ComplianceReportType} from '../../compliance/shared/type/compliance-report.type'; import {AccountService} from '../../core/auth/account.service'; import {Account} from '../../core/user/account.model'; -import {DashboardBehavior} from '../../shared/behaviors/dashboard.behavior'; import {ThemeChangeBehavior} from '../../shared/behaviors/theme-change.behavior'; -import {TimeFilterBehavior} from '../../shared/behaviors/time-filter.behavior'; import {UtmDashboardVisualizationType} from '../../shared/chart/types/dashboard/utm-dashboard-visualization.type'; import {ChartTypeEnum} from '../../shared/enums/chart-type.enum'; -import {ElasticFilterType} from '../../shared/types/filter/elastic-filter.type'; -import { - parseQueryParamsToFilterWithPattern -} from '../../shared/util/query-params-to-filter.util'; -import {buildFormatInstantFromDate} from '../../shared/util/utm-time.util'; import {UtmRenderVisualization} from '../shared/services/utm-render-visualization.service'; - @Component({ selector: 'app-compliance-export', templateUrl: './compliance-export.component.html', @@ -62,8 +54,6 @@ export class ComplianceExportComponent implements OnInit, AfterViewInit { date = new Date(); preparingPrint = true; cover: string; - filters: ElasticFilterType[] = []; - filterTime: { from: string, to: string }; constructor(private activatedRoute: ActivatedRoute, private cpReportsService: CpReportsService, @@ -71,8 +61,6 @@ export class ComplianceExportComponent implements OnInit, AfterViewInit { private accountService: AccountService, private spinner: NgxSpinnerService, private themeChangeBehavior: ThemeChangeBehavior, - private dashboardBehavior: DashboardBehavior, - private timeFilterBehavior: TimeFilterBehavior, public sanitizer: DomSanitizer, private cdr: ChangeDetectorRef) { } @@ -104,37 +92,11 @@ export class ComplianceExportComponent implements OnInit, AfterViewInit { this.reportId = params.id; this.getTemplate(); }); - this.activatedRoute.queryParams.subscribe(params => { - const queryParams = Object.entries(params).length > 0 ? params : null; - if (queryParams) { - parseQueryParamsToFilterWithPattern(queryParams).then((filters) => { - this.filters = filters; - this.getTimeFilterValue(); - }); - } - }); this.accountService.identity().then(account => { this.account = account; }); } - getTimeFilterValue() { - this.filterTime = { - from: this.resolveFromDate(this.getTime()), - to: this.resolveToDate(this.getTime()), - }; - } - - getTime() { - const indexTime = this.filters.findIndex(value => value.field === '@timestamp'); - if (indexTime !== -1) { - return { - from: this.filters[indexTime].value[0], - to: this.filters[indexTime].value[1] - }; - } - } - /** * Return template */ @@ -163,59 +125,11 @@ export class ComplianceExportComponent implements OnInit, AfterViewInit { } } - resolveToDate(date: { from: any, to: any }): string { - if (!isNaN(Date.parse(date.to))) { - return date.to; - } else { - return new Date().toString(); - } - } - - setVisFilter(): Promise { - return new Promise(resolve => { - for (const dashFilter of this.getFilterByIndexPattern()) { - this.dashboardBehavior.$filterDashboard.next(dashFilter); - } - if (this.filterTime) { - this.timeFilterBehavior.$time.next(this.getTime()); - } - setTimeout(() => resolve(true), 5000); - }); - } - - getFilterByIndexPattern(): { filter: ElasticFilterType[], indexPattern: string }[] { - const filterDefs = []; - - this.filters.forEach(filterType => { - const existingFilterDef = filterDefs.find(def => def.indexPattern === filterType.pattern); - - if (existingFilterDef) { - existingFilterDef.filter.push(filterType); - } else { - filterDefs.push({ - indexPattern: filterType.pattern, - filter: [filterType] - }); - } - }); - return filterDefs; - } - onVisualizationLoaded() { - this.setVisFilter().then(() => { - this.spinner.hide('buildPrint').then(() => { + this.spinner.hide('buildPrint').then(() => { this.preparingPrint = false; this.print(); - }); }); } - resolveFromDate(date: { from: any, to: any }): string { - if (!isNaN(Date.parse(date.from))) { - return date.from; - } else { - return buildFormatInstantFromDate(date).timeFrom; - } - } - } diff --git a/frontend/src/app/dashboard/dashboard-export-pdf/dashboard-export-pdf.component.ts b/frontend/src/app/dashboard/dashboard-export-pdf/dashboard-export-pdf.component.ts index 118194adc..864625027 100644 --- a/frontend/src/app/dashboard/dashboard-export-pdf/dashboard-export-pdf.component.ts +++ b/frontend/src/app/dashboard/dashboard-export-pdf/dashboard-export-pdf.component.ts @@ -147,7 +147,7 @@ export class DashboardExportPdfComponent implements OnInit, AfterViewInit { this.setVisFilter().then(() => { this.spinner.hide('buildPrint').then(() => { this.preparingPrint = false; - // this.print(); + this.print(); }); }); } diff --git a/frontend/src/app/dashboard/dashboard-overview/dashboard-overview.component.ts b/frontend/src/app/dashboard/dashboard-overview/dashboard-overview.component.ts index 3ef9b5b5c..b4f47bf16 100644 --- a/frontend/src/app/dashboard/dashboard-overview/dashboard-overview.component.ts +++ b/frontend/src/app/dashboard/dashboard-overview/dashboard-overview.component.ts @@ -23,8 +23,6 @@ import {ElasticSearchIndexService} from '../../shared/services/elasticsearch/ela import {IndexPatternService} from '../../shared/services/elasticsearch/index-pattern.service'; import {LocalFieldService} from '../../shared/services/elasticsearch/local-field.service'; import {ChartSerieValueType} from '../../shared/types/chart-reponse/chart-serie-value.type'; -import {ActivatedRoute} from "@angular/router"; -import {LoginService} from "../../core/login/login.service"; @Component({ selector: 'app-dashboard-overview', @@ -82,8 +80,6 @@ export class DashboardOverviewComponent implements OnInit { private localFieldService: LocalFieldService, private indexPatternService: IndexPatternService, private indexPatternFieldService: ElasticSearchIndexService, - private activatedRoute: ActivatedRoute, - private loginService: LoginService, private accountService: AccountService, private modalService: NgbModal) { } @@ -110,6 +106,7 @@ export class DashboardOverviewComponent implements OnInit { * END */ + this.getDailyAlert(); /** * Show activate modules modal on constructor @@ -121,16 +118,6 @@ export class DashboardOverviewComponent implements OnInit { // } // }); - /* this.activatedRoute.queryParams.subscribe(params => { - const queryParams = Object.entries(params).length > 0 ? params : null; - if (queryParams.token) { - this.loginService.loginWithKey(queryParams.token, false); - } - this.getDailyAlert(); - });*/ - - this.getDailyAlert(); - setTimeout(() => { this.synchronizeFields(); }, 100000); @@ -146,8 +133,7 @@ export class DashboardOverviewComponent implements OnInit { this.overviewAlertDashboardService.getCardAlertTodayWeek().subscribe(response => { this.dailyAlert = response.body; this.loadingChartDailyAlert = false; - }, - error => console.log(error)); + }); } exportToPdf() { diff --git a/frontend/src/app/dashboard/dashboard-render/dashboard-render.component.ts b/frontend/src/app/dashboard/dashboard-render/dashboard-render.component.ts index 25782de1b..ed20f5005 100644 --- a/frontend/src/app/dashboard/dashboard-render/dashboard-render.component.ts +++ b/frontend/src/app/dashboard/dashboard-render/dashboard-render.component.ts @@ -18,8 +18,6 @@ import {filtersToStringParam} from '../../shared/util/query-params-to-filter.uti import {normalizeString} from '../../shared/util/string-util'; import {RenderLayoutService} from '../shared/services/render-layout.service'; import {UtmRenderVisualization} from '../shared/services/utm-render-visualization.service'; -import {ExportPdfService} from "../../shared/services/util/export-pdf.service"; -import {NgxSpinnerService} from "ngx-spinner"; @Component({ selector: 'app-dashboard-render', @@ -67,9 +65,7 @@ export class DashboardRenderComponent implements OnInit, OnDestroy, AfterViewIni private modalService: NgbModal, private dashboardBehavior: DashboardBehavior, private timeFilterBehavior: TimeFilterBehavior, - private utmRenderVisualization: UtmRenderVisualization, - private exportPdfService: ExportPdfService, - private spinner: NgxSpinnerService) { + private utmRenderVisualization: UtmRenderVisualization) { } ngOnInit() { @@ -163,16 +159,7 @@ export class DashboardRenderComponent implements OnInit, OnDestroy, AfterViewIni exportToPdf() { filtersToStringParam(this.filtersValues).then(queryParams => { - this.spinner.show('buildPrintPDF'); - const url = '/dashboard/export/' + this.dashboardId + '/' + normalizeString(this.dashboard.name) + '?' + queryParams; - // window.open('/dashboard/export/' + this.dashboardId + '/' + normalizeString(this.dashboard.name) + '?' + queryParams, '_blank'); - this.exportPdfService.getPdf(url, this.dashboard.name, 'PDF_TYPE_TOKEN').subscribe(response => { - this.spinner.hide('buildPrintPDF').then(() => - this.exportPdfService.handlePdfResponse(response)); - }, error => { - this.spinner.hide('buildPrintPDF'); - console.error('Error downloading PDF:', error); - }); + window.open('/dashboard/export/' + this.dashboardId + '/' + normalizeString(this.dashboard.name) + '?' + queryParams, '_blank'); }); } } diff --git a/frontend/src/app/data-management/alert-management/shared/components/filters/active-filters/active-filters.component.html b/frontend/src/app/data-management/alert-management/shared/components/filters/active-filters/active-filters.component.html index 0e2297551..7faf21c00 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/filters/active-filters/active-filters.component.html +++ b/frontend/src/app/data-management/alert-management/shared/components/filters/active-filters/active-filters.component.html @@ -1,5 +1,5 @@ -
- +
+ Active filters diff --git a/frontend/src/app/data-management/alert-management/shared/components/filters/active-filters/active-filters.component.ts b/frontend/src/app/data-management/alert-management/shared/components/filters/active-filters/active-filters.component.ts index 55a0b081c..5fd3788a1 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/filters/active-filters/active-filters.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/filters/active-filters/active-filters.component.ts @@ -19,7 +19,6 @@ import {resolveFieldNameByFilter} from '../../../util/alert-util-function'; export class ActiveFiltersComponent implements OnInit { @Input() filters: ElasticFilterType[] = []; @Input() dataType: EventDataTypeEnum; - @Input() showHeader = true; operatorsEnum = ElasticOperatorsEnum; STATUS_FIELD = ALERT_STATUS_FIELD; SEVERITY_FIELD = ALERT_SEVERITY_FIELD; diff --git a/frontend/src/app/shared/components/auth/login/login.component.ts b/frontend/src/app/shared/components/auth/login/login.component.ts index 4c77d4715..0188addb9 100644 --- a/frontend/src/app/shared/components/auth/login/login.component.ts +++ b/frontend/src/app/shared/components/auth/login/login.component.ts @@ -58,17 +58,13 @@ export class LoginComponent implements OnInit, AfterViewInit { this.apiServiceCheckerService.isOnlineApi$.subscribe(result => { if (result) { - // this.startNavigation(); + this.startNavigation(); this.activatedRoute.queryParams.subscribe(params => { if (params.token) { this.loginService.loginWithToken(params.token, true).then(() => { this.checkLogin(params.url); }); - } else if (params.key) { - this.loginService.loginWithKey(params.key, true).then(() => { - this.startInternalNavigation(); - }); } else { this.loadingAuth = false; } @@ -177,8 +173,4 @@ export class LoginComponent implements OnInit, AfterViewInit { }); } - startInternalNavigation(){ - this.router.navigate(['/dashboard/overview']); - } - } diff --git a/frontend/src/app/shared/components/layout/header/shared/components/utm-version-info/utm-version-info.component.html b/frontend/src/app/shared/components/layout/header/shared/components/utm-version-info/utm-version-info.component.html index 0ae8ae0c3..9f1c2f572 100644 --- a/frontend/src/app/shared/components/layout/header/shared/components/utm-version-info/utm-version-info.component.html +++ b/frontend/src/app/shared/components/layout/header/shared/components/utm-version-info/utm-version-info.component.html @@ -1,3 +1,3 @@ {{''}} + class="badge badge-pill version-info cursor-pointer text-white">{{currentVersion.build.version}} diff --git a/frontend/src/app/shared/components/layout/header/shared/notification/utm-notification-alert/utm-notification-alert.component.ts b/frontend/src/app/shared/components/layout/header/shared/notification/utm-notification-alert/utm-notification-alert.component.ts index 279026830..177774c8e 100644 --- a/frontend/src/app/shared/components/layout/header/shared/notification/utm-notification-alert/utm-notification-alert.component.ts +++ b/frontend/src/app/shared/components/layout/header/shared/notification/utm-notification-alert/utm-notification-alert.component.ts @@ -42,6 +42,7 @@ export class UtmNotificationAlertComponent implements OnInit, OnDestroy { } ngOnDestroy() { + console.log('destroy'); this.destroy$.next(true); clearInterval(this.timeoutAlert); clearInterval(this.intervalAlert); diff --git a/frontend/src/app/shared/components/utm/filters/dashboard-filter-view/dashboard-filter-select/dashboard-filter-select.component.html b/frontend/src/app/shared/components/utm/filters/dashboard-filter-view/dashboard-filter-select/dashboard-filter-select.component.html index 2ddd32362..50647a3bf 100644 --- a/frontend/src/app/shared/components/utm/filters/dashboard-filter-view/dashboard-filter-select/dashboard-filter-select.component.html +++ b/frontend/src/app/shared/components/utm/filters/dashboard-filter-view/dashboard-filter-select/dashboard-filter-select.component.html @@ -1,6 +1,5 @@ = new Subject(); constructor(private elasticSearchIndexService: ElasticSearchIndexService, - private dashboardBehavior: DashboardBehavior, - private changeFilterValueService: ChangeFilterValueService) { + private dashboardBehavior: DashboardBehavior) { } ngOnInit() { this.getFieldValues(); - - this.changeFilterValueService.selectedValue$ - .pipe(takeUntil(this.onDestroy$)) - .subscribe( data => { - if (data && this.filter.field === data.field) { - this.selected = data.value; - } - }); } ngOnChanges(changes: SimpleChanges) { @@ -43,6 +29,7 @@ export class DashboardFilterSelectComponent implements OnInit, OnChanges, OnDest } } + getFieldValues() { const req = { page: 0, @@ -66,9 +53,4 @@ export class DashboardFilterSelectComponent implements OnInit, OnChanges, OnDest }; this.dashboardBehavior.$filterDashboard.next({filter: [elasticFilter], indexPattern: filter.indexPattern}); } - - ngOnDestroy() { - this.onDestroy$.next(); - this.onDestroy$.complete(); - } } diff --git a/frontend/src/app/shared/components/utm/filters/services/change-filter-value.service.ts b/frontend/src/app/shared/components/utm/filters/services/change-filter-value.service.ts deleted file mode 100644 index 40d3763d4..000000000 --- a/frontend/src/app/shared/components/utm/filters/services/change-filter-value.service.ts +++ /dev/null @@ -1,15 +0,0 @@ -import { Injectable } from '@angular/core'; -import { BehaviorSubject, Observable } from 'rxjs'; - -@Injectable({ - providedIn: 'root' -}) -export class ChangeFilterValueService { - private selectedValueSubject = new BehaviorSubject<{ field: any, value: any }>(null); - - selectedValue$: Observable = this.selectedValueSubject.asObservable(); - - changeSelectedValue(newValues: { field: any, value: any }): void { - this.selectedValueSubject.next(newValues); - } -} diff --git a/frontend/src/app/shared/services/util/export-pdf.service.ts b/frontend/src/app/shared/services/util/export-pdf.service.ts deleted file mode 100644 index c12d88d12..000000000 --- a/frontend/src/app/shared/services/util/export-pdf.service.ts +++ /dev/null @@ -1,30 +0,0 @@ -import { HttpClient, HttpResponse } from '@angular/common/http'; -import { Injectable } from '@angular/core'; -import { Observable } from 'rxjs'; -import {SERVER_API_URL} from '../../../app.constants'; - -@Injectable({ - providedIn: 'root' -}) -export class ExportPdfService { - - public resourceUrl = SERVER_API_URL + 'api'; - - constructor(private http: HttpClient) { } - - getPdf(url: string, filename: string, accessType: string): Observable> { - const params = `?url=${encodeURIComponent(url)}&filename=${encodeURIComponent(filename)}&accessType=${accessType}`; - const urlWithParams = `${this.resourceUrl}/generate-pdf-report${params}`; - - return this.http.get(`${urlWithParams}`, { - observe: 'response', - responseType: 'blob' - }); - } - - handlePdfResponse(response: any): void { - const blob = new Blob([response.body], { type: 'application/pdf' }); - const url = window.URL.createObjectURL(blob); - window.open(url, '_blank'); - } -} diff --git a/frontend/src/app/shared/types/filter/elastic-filter.type.ts b/frontend/src/app/shared/types/filter/elastic-filter.type.ts index 875d5823d..457bf196c 100644 --- a/frontend/src/app/shared/types/filter/elastic-filter.type.ts +++ b/frontend/src/app/shared/types/filter/elastic-filter.type.ts @@ -1,8 +1,5 @@ -import {UtmIndexPattern} from '../index-pattern/utm-index-pattern'; - export class ElasticFilterType { label?: string; - pattern?: string; field?: string; value?: any; operator?: any; diff --git a/frontend/src/app/shared/util/query-params-to-filter.util.ts b/frontend/src/app/shared/util/query-params-to-filter.util.ts index f6da26d36..e962753ad 100644 --- a/frontend/src/app/shared/util/query-params-to-filter.util.ts +++ b/frontend/src/app/shared/util/query-params-to-filter.util.ts @@ -40,17 +40,6 @@ export function getOperator(param: string): ElasticOperatorsEnum { } } -/** - * Return indexPattern to add to filter - * @param param Value of the param in queryParams - */ -export function getIndexPattern(param: string) { - if (param.includes('->')) { - return param.split('->').length > 2 ? param.split('->')[2] : ''; - } - return ''; -} - /** * Return value based on operator used in param * @param param Value of the param in queryParams @@ -110,55 +99,3 @@ export function stringParamToQueryParams(queryString: string): Promise { resolve(queryParams); }); } - -/** - * Take query params and return ElasticFiltersType object - * @param queryParams Object params from route snapshot - */ -export function parseQueryParamsToFilterWithPattern(queryParams: object): Promise { - return new Promise(resolve => { - const filters: ElasticFilterType[] = []; - for (const key of Object.keys(queryParams)) { - if (key !== 'patternId' && key !== 'indexPattern' && key !== 'dataNature' && key !== 'mode' - && key !== 'queryId' && key !== 'queryName' && key !== 'alertType') { - const index = filters.findIndex(filter => filter.field === key); - if (index !== -1) { - filters[index].value = getValue(queryParams[key]); - filters[index].operator = getOperator(queryParams[key]); - filters[index].pattern = getIndexPattern(queryParams[key]); - } else { - filters.push({ - field: key, - value: getValue(queryParams[key]), - operator: getOperator(queryParams[key]), - pattern: getIndexPattern(queryParams[key]) - }); - } - } - } - resolve(filters); - }); -} - -/** - * Return string of query params - * @param filters ElasticFilterType to convert to string params - */ -export function filtersWithPatternToStringParam(filters: ElasticFilterType[]): Promise { - return new Promise(resolve => { - let queryString = ''; - /** - * Add all filters to string - */ - filters.forEach(value => { - if (value.pattern) { - queryString += value.field + '=' + value.operator + '->' + value.value + '->' + value.pattern + '&'; - } else { - queryString += value.field + '=' + value.operator + '->' + value.value + '&'; - } - }); - // remove last & - queryString = queryString.substring(0, queryString.length - 1); - resolve(queryString); - }); -} From 8d75e13978d5295e55b32f2a028d134d007451e0 Mon Sep 17 00:00:00 2001 From: jdieguez89 Date: Thu, 28 Dec 2023 11:40:16 +0200 Subject: [PATCH 04/20] adding new active directory changes --- .../active-directory.component.html | 6 +- .../shared/behavior/tree-object.behvior.ts | 10 +- .../active-directory-detail.component.html | 17 +-- .../active-directory-detail.component.scss | 4 - .../active-directory-detail.component.ts | 3 +- .../active-directory-event.component.ts | 2 +- .../active-directory-tree.component.html | 12 +- .../active-directory-tree.component.scss | 1 - .../active-directory-tree.component.ts | 120 +++++++----------- .../event-timeline.component.html | 42 +++--- .../event-timeline.component.scss | 2 +- .../event-timeline.component.ts | 50 ++++---- .../services/active-directory.service.ts | 7 +- .../shared/services/winlogbeat.service.ts | 2 +- .../types/active-directory-tree.type.ts | 1 - .../types/active-directory-user-source.ts | 5 - .../shared/types/active-directory-users.ts | 10 -- .../active-directory-view.component.html | 11 +- .../active-directory-view.component.ts | 58 +++------ 19 files changed, 136 insertions(+), 227 deletions(-) delete mode 100644 frontend/src/app/active-directory/shared/types/active-directory-user-source.ts delete mode 100644 frontend/src/app/active-directory/shared/types/active-directory-users.ts diff --git a/frontend/src/app/active-directory/active-directory.component.html b/frontend/src/app/active-directory/active-directory.component.html index 77c970a15..a37dca7c9 100644 --- a/frontend/src/app/active-directory/active-directory.component.html +++ b/frontend/src/app/active-directory/active-directory.component.html @@ -1,9 +1,9 @@
- Users with Activity + Active directory
- +
diff --git a/frontend/src/app/active-directory/shared/behavior/tree-object.behvior.ts b/frontend/src/app/active-directory/shared/behavior/tree-object.behvior.ts index cfe1def90..3c9406de2 100644 --- a/frontend/src/app/active-directory/shared/behavior/tree-object.behvior.ts +++ b/frontend/src/app/active-directory/shared/behavior/tree-object.behvior.ts @@ -1,15 +1,7 @@ import {Injectable} from '@angular/core'; import {BehaviorSubject} from 'rxjs'; -import {ActiveDirectoryTreeType} from '../types/active-directory-tree.type'; @Injectable({providedIn: 'root'}) export class TreeObjectBehavior { - private user: BehaviorSubject = new BehaviorSubject(null); - userSelected() { - return this.user.asObservable(); - } - - changeUser(user: ActiveDirectoryTreeType) { - this.user.next(user); - } + $objectId: BehaviorSubject = new BehaviorSubject(''); } diff --git a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.html b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.html index eb598a607..962de108e 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.html +++ b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.html @@ -1,18 +1,10 @@ -
-
+
-
+
-
- {{ attribute.attributeKey+': ' }} - - {{ attribute.attributeValue ? attribute.attributeValue : '-'}} - -
-
- +
-
diff --git a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.scss b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.scss index f965edb4c..9cf9b93bb 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.scss +++ b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.scss @@ -7,7 +7,3 @@ max-height: calc(100vh - 48px); height: calc(100vh - 48px); } - -.username { - margin-left: 3px; -} diff --git a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.ts b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.ts index 04b65c9dd..03fe49516 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.ts +++ b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.ts @@ -10,8 +10,7 @@ import {ActiveDirectoryType} from '../../types/active-directory.type'; styleUrls: ['./active-directory-detail.component.scss'] }) export class AdDetailComponent implements OnInit { - @Input() adInfo: any; - @Input() user: any; + @Input() adInfo: ActiveDirectoryType; formatDateEnum = UtmDateFormatEnum; totalItems: number; page = 1; diff --git a/frontend/src/app/active-directory/shared/components/active-directory-event/active-directory-event.component.ts b/frontend/src/app/active-directory/shared/components/active-directory-event/active-directory-event.component.ts index 294f0db6f..2c7f51b29 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-event/active-directory-event.component.ts +++ b/frontend/src/app/active-directory/shared/components/active-directory-event/active-directory-event.component.ts @@ -19,7 +19,7 @@ export class AdEventComponent implements OnInit { } ngOnInit() { - // this.treeObjectBehavior.$objectId.next(this.objectId); + this.treeObjectBehavior.$objectId.next(this.objectId); } replaceDetail(message: string): string { diff --git a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.html b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.html index a73d4ef73..4c688ff11 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.html +++ b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.html @@ -1,7 +1,7 @@
- +
-
    +
    • -   diff --git a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.scss b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.scss index a35e85572..706ad9c9c 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.scss +++ b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.scss @@ -45,7 +45,6 @@ .node-leaft-name { position: relative; - margin-left: 3px; &:hover { &:after { diff --git a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.ts b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.ts index ef100a675..086f518c1 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.ts +++ b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.ts @@ -7,7 +7,7 @@ import {ACTIVE_DIRECTORY_SIZE} from '../../const/active-directory-index-const'; import {getTreeIcon, resolveType} from '../../functions/ad-util.function'; import {ActiveDirectoryService} from '../../services/active-directory.service'; import {ActiveDirectoryTreeType} from '../../types/active-directory-tree.type'; -import {ActiveDirectoryUsers} from '../../types/active-directory-users'; +import {ActiveDirectoryType} from '../../types/active-directory.type'; import {arrayToTree, TreeItem} from './shared/functions/array-to-tree.function'; @@ -25,12 +25,10 @@ export class AdTreeComponent implements OnInit { deployed: string[] = []; deployedBeforeSearch: string[] = []; @Output() selected = new EventEmitter(); - itemView = ''; + itemView: string; searching = false; - loading = true; noDataFound: boolean; search: string; - users: ActiveDirectoryUsers[] = []; constructor(private activeDirectoryService: ActiveDirectoryService, private modalService: NgbModal, @@ -38,77 +36,58 @@ export class AdTreeComponent implements OnInit { } ngOnInit() { + // reset objectId + this.treeObjectBehavior.$objectId.next(null); this.getAllInfo(); } -getAllInfo() { + getAllInfo() { const req = { - sourceId: 1, - page: 0, - size: ACTIVE_DIRECTORY_SIZE + page: 1, + size: ACTIVE_DIRECTORY_SIZE, + // 'objectClass.specified': true, }; this.activeDirectoryService.query(req).subscribe(data => { this.searching = false; - this.loading = false; if (data.body) { this.noDataFound = false; this.buildTree(data.body).then(temArr => { this.tree = arrayToTree(temArr, {parentId: 'parentId', id: 'id', dataField: null}); - this.tree = this.tree.filter( t => t.children.length > 0); - console.log('TREE:', this.tree); }); } else { this.noDataFound = true; } - }, error => { - this.loading = false; - this.noDataFound = false; - this.users = []; }); } - buildTree(activeDirectory: ActiveDirectoryUsers[]): Promise { + buildTree(activeDirectory: ActiveDirectoryType[]): Promise { return new Promise(resolve => { - activeDirectory.unshift({ - id: 'Users', - sid: null, - createdDate: null, - modifiedDate: null, - source: null, - name: 'Users' - }); - activeDirectory.unshift({ - id: 'Workstations', - sid: null, - createdDate: null, - modifiedDate: null, - source: null, - name: 'Workstations' - }); - const arr: ActiveDirectoryTreeType[] = activeDirectory.reduce((group: any, value: any, currentIndex) => { - const name = value.name; - const existingGroup = group.find((group: any) => (name.startsWith('WS') && group.name === 'Workstations') || (group.name === 'Users')); - if (group.length > 0 && existingGroup) { - group.push({ - parentId: name.startsWith('WS') ? 'Workstations-0' : 'Users-1', - name, - objectSid: value.sid, - id: name + '-' + currentIndex, - type: name.startsWith('WS') ? 'COMPUTER' : 'USER', - indexPattern: value.source.indexPattern - }); - } else { - group.push({ - id: name + '-' + currentIndex, - parentId: null, - name, - type: 'GROUP' - }); + const arr: ActiveDirectoryTreeType[] = []; + for (const ad of activeDirectory) { + // tslint:disable-next-line:variable-name + if (Object(ad).hasOwnProperty('distinguishedName') && ad.distinguishedName) { + const path = ad.distinguishedName.split(',').reverse(); + // tslint:disable-next-line:prefer-for-of + for (let i = 0; i < path.length; i++) { + const nodeName = path[i].substring(3, path[i].length); + const parentName = path[i - 1] ? path[i - 1] + .substring(3, path[i - 1].length) + '-' + (i - 1) : null; + const node = { + parentId: parentName, + name: nodeName, + objectSid: ad.objectSid, + id: nodeName + '-' + i, + type: resolveType(ad.objectClass), + isAdmin: ad.adminCount !== null, + // children: [] + }; + if (arr.findIndex(value => value.parentId === node.parentId && value.id === node.id) === -1) { + arr.push(node); + } + } } - - return group; - }, []); + } resolve(arr); }); } @@ -171,7 +150,7 @@ getAllInfo() { if (item.children.length === 0) { this.itemView = item.id; this.selected.emit(item.objectSid); - this.treeObjectBehavior.changeUser(item); + this.treeObjectBehavior.$objectId.next(item.objectSid); } } @@ -213,18 +192,28 @@ getAllInfo() { } filterAdByCn(cn: string) { - const data = this.filterByName(cn); - if (data.length > 0) { + const req = { + page: 1, + size: ACTIVE_DIRECTORY_SIZE, + // 'cn.contains': cn, + 'displayName.contains': cn + }; + this.activeDirectoryService.query(req).subscribe(data => { + if (data.body) { this.noDataFound = false; - this.searching = false; - this.tree = data; - for (const node of this.tree) { + this.buildTree(data.body).then(temArr => { + this.searching = false; + this.tree = arrayToTree(temArr, + {parentId: 'parentId', id: 'id', dataField: null}); + for (const node of this.tree) { this.deployAll(node); } + }); } else { this.searching = false; this.noDataFound = true; } + }); } // deploy all children in tree when search @@ -241,17 +230,6 @@ getAllInfo() { } } - filterByName(partialName: string) { - return this.tree.filter(item => { - if ( item.name.toLowerCase().includes(partialName.toLowerCase()) || - (item.children && item.children.some(child => child.name.toLowerCase().includes(partialName.toLowerCase()))) - ) { - return true; - } - return false; - }); - } - findPath(node: TreeItem, nodeName): TreeItem[] { // If current node matches search node, return tail of path result diff --git a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.html b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.html index abb196140..294f948d6 100644 --- a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.html +++ b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.html @@ -11,18 +11,34 @@
      Events timeline
+
+
+ + + +
+ +
  • -
@@ -37,22 +53,6 @@
Events timeline
No more events
-
-
- - - -
- -
diff --git a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.scss b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.scss index 7b077ff6d..c1c8adc6e 100644 --- a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.scss +++ b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.scss @@ -10,7 +10,7 @@ .main { width: 100%; - height: 90vh; + height: 63vh; //max-height: 380px; min-height: 370px; box-sizing: border-box; diff --git a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.ts b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.ts index 467261ea2..159525829 100644 --- a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.ts +++ b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.ts @@ -7,7 +7,6 @@ import {ElasticFilterCommonType} from '../../../../shared/types/filter/elastic-f import {TimeFilterType} from '../../../../shared/types/time-filter.type'; import {TreeObjectBehavior} from '../../behavior/tree-object.behvior'; import {WinlogbeatService} from '../../services/winlogbeat.service'; -import {ActiveDirectoryTreeType} from "../../types/active-directory-tree.type"; import {WinlogbeatEventType} from '../../types/winlogbeat-event.type'; @Component({ @@ -19,7 +18,7 @@ export class EventTimelineComponent implements OnInit, AfterViewInit { @Input() events: string[]; @Input() time: TimeFilterType; @Output() eventChange = new EventEmitter(); - objectId: ActiveDirectoryTreeType; + objectId: string; sevenDaysRange: ElasticFilterCommonType = {time: ElasticTimeEnum.DAY, last: 7, label: 'last 7 days'}; items: WinlogbeatEventType[] = []; loadingMore = false; @@ -38,11 +37,11 @@ export class EventTimelineComponent implements OnInit, AfterViewInit { } ngOnInit(): void { - this.treeObjectBehavior.userSelected().subscribe(user => { + this.treeObjectBehavior.$objectId.subscribe(id => { this.eventChange.emit(null); this.itemSelected = ''; - if (user) { - this.objectId = user; + if (this.objectId !== '') { + this.objectId = id; this.items = []; this.page = 1; this.getEvents(); @@ -51,28 +50,25 @@ export class EventTimelineComponent implements OnInit, AfterViewInit { } getEvents() { - if(this.filterTime){ - const req = { - page: this.page, - size: this.itemsPerPage, - sort: '@timestamp,desc', - sid: this.objectId.objectSid, - indexPattern: this.objectId.indexPattern, - from: this.filterTime.timeFrom, - to: this.filterTime.timeTo, - 'eventId.in': this.events ? this.events.toString() : undefined - }; - this.winlogbeatService.query(req).subscribe(response => { - this.loadingMore = false; - this.loading = false; - if (response.body === null || response.body.length === 0) { - this.eventChange.emit(null); - } else { - this.items = response.body; - this.totalItems = Number(response.headers.get('X-Total-Count')); - } - }); - } + const req = { + page: this.page, + size: this.itemsPerPage, + sort: 'timestamp,desc', + 'objectSid.equals': this.objectId, + 'timestamp.greaterThanOrEqual': this.filterTime.timeFrom, + 'timestamp.lessThanOrEqual': this.filterTime.timeTo, + 'eventId.in': this.events ? this.events.toString() : undefined + }; + this.winlogbeatService.query(req).subscribe(response => { + this.loadingMore = false; + this.loading = false; + if (response.body === null || response.body.length === 0) { + this.eventChange.emit(null); + } else { + this.items = response.body; + this.totalItems = Number(response.headers.get('X-Total-Count')); + } + }); } ngAfterViewInit() { diff --git a/frontend/src/app/active-directory/shared/services/active-directory.service.ts b/frontend/src/app/active-directory/shared/services/active-directory.service.ts index fb50cdfc3..529f5a21e 100644 --- a/frontend/src/app/active-directory/shared/services/active-directory.service.ts +++ b/frontend/src/app/active-directory/shared/services/active-directory.service.ts @@ -4,20 +4,19 @@ import {Observable} from 'rxjs'; import {SERVER_API_URL} from '../../../app.constants'; import {createRequestOption} from '../../../shared/util/request-util'; import {ActiveDirectoryType} from '../types/active-directory.type'; -import {ActiveDirectoryUsers} from "../types/active-directory-users"; @Injectable({ providedIn: 'root' }) export class ActiveDirectoryService { - public resourceUrl = SERVER_API_URL + 'api/utm-auditor-users-by-src'; + public resourceUrl = SERVER_API_URL + 'api/ad/active-directory-info-by-filter'; constructor(private http: HttpClient) { } - query(req?: any): Observable> { + query(req?: any): Observable> { const options = createRequestOption(req); - return this.http.get(this.resourceUrl, {params: options, observe: 'response'}); + return this.http.get(this.resourceUrl, {params: options, observe: 'response'}); } queryUser(req?: any, urlSegment?: string): Observable> { diff --git a/frontend/src/app/active-directory/shared/services/winlogbeat.service.ts b/frontend/src/app/active-directory/shared/services/winlogbeat.service.ts index 98b263e7d..7e58dcd44 100644 --- a/frontend/src/app/active-directory/shared/services/winlogbeat.service.ts +++ b/frontend/src/app/active-directory/shared/services/winlogbeat.service.ts @@ -10,7 +10,7 @@ import {WinlogbeatEventType} from '../types/winlogbeat-event.type'; providedIn: 'root' }) export class WinlogbeatService { - public resourceUrl = SERVER_API_URL + 'api/winlogbeat-info-by-filter'; + public resourceUrl = SERVER_API_URL + 'api/ad/winlogbeat-info-by-filter'; constructor(private http: HttpClient) { } diff --git a/frontend/src/app/active-directory/shared/types/active-directory-tree.type.ts b/frontend/src/app/active-directory/shared/types/active-directory-tree.type.ts index 4de167779..b75562785 100644 --- a/frontend/src/app/active-directory/shared/types/active-directory-tree.type.ts +++ b/frontend/src/app/active-directory/shared/types/active-directory-tree.type.ts @@ -5,6 +5,5 @@ export class ActiveDirectoryTreeType { isAdmin?: boolean; objectSid?: string; parentId?: string; - indexPattern?: string; children?: ActiveDirectoryTreeType[]; } diff --git a/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts b/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts deleted file mode 100644 index f22f45460..000000000 --- a/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts +++ /dev/null @@ -1,5 +0,0 @@ -export class ActiveDirectoryUserSource { - id: string; - indexPattern: string; - indexName: string; -} diff --git a/frontend/src/app/active-directory/shared/types/active-directory-users.ts b/frontend/src/app/active-directory/shared/types/active-directory-users.ts deleted file mode 100644 index 3bc10718b..000000000 --- a/frontend/src/app/active-directory/shared/types/active-directory-users.ts +++ /dev/null @@ -1,10 +0,0 @@ -import {ActiveDirectoryUserSource} from './active-directory-user-source'; - -export class ActiveDirectoryUsers { - id: string; - sid: string; - name: string; - source: ActiveDirectoryUserSource; - createdDate: string; - modifiedDate: string; -} diff --git a/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.html b/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.html index 635616745..860ef2e37 100644 --- a/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.html +++ b/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.html @@ -11,7 +11,7 @@
-
{{object.name}}
+
{{adInfo.cn}}
@@ -39,12 +39,11 @@
{{object.name}}
- - + [adInfo]="adInfo"> +
-
+
diff --git a/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.ts b/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.ts index 580496bf0..fc83c2170 100644 --- a/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.ts +++ b/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.ts @@ -2,15 +2,12 @@ import {AfterViewChecked, ChangeDetectorRef, Component, OnInit} from '@angular/c import {Router} from '@angular/router'; import {NgbModal} from '@ng-bootstrap/ng-bootstrap'; import {ResizeEvent} from 'angular-resizable-element'; -import {Observable} from 'rxjs'; -import {tap} from 'rxjs/operators'; import {AdReportCreateComponent} from '../../reports/ad-report-create/ad-report-create.component'; import {TreeObjectBehavior} from '../../shared/behavior/tree-object.behvior'; import {resolveType} from '../../shared/functions/ad-util.function'; import {ActiveDirectoryService} from '../../shared/services/active-directory.service'; -import {ActiveDirectoryUsers} from '../../shared/types/active-directory-users'; +import {ActiveDirectoryType} from '../../shared/types/active-directory.type'; import {AdTrackerCreateComponent} from '../../tracker/ad-tracker-create/ad-tracker-create.component'; -import {ActiveDirectoryTreeType} from "../../shared/types/active-directory-tree.type"; @Component({ selector: 'app-active-directory-view', @@ -18,15 +15,13 @@ import {ActiveDirectoryTreeType} from "../../shared/types/active-directory-tree. styleUrls: ['./active-directory-view.component.scss'] }) export class AdViewComponent implements OnInit, AfterViewChecked { - object: ActiveDirectoryTreeType; + object: string; view = 'detail'; - adInfo: any; - adInfo$: Observable; + adInfo: ActiveDirectoryType; treeWidth = '290px'; detailWidth: string; pageWidth = window.innerWidth; treeHeight = window.innerHeight - 50; - showPanel = true; constructor(private router: Router, private activeDirectoryService: ActiveDirectoryService, @@ -37,12 +32,9 @@ export class AdViewComponent implements OnInit, AfterViewChecked { ngOnInit() { this.detailWidth = (this.pageWidth - 430) + 'px'; - this.treeObjectBehavior.userSelected().subscribe(object => { - if (object) { - this.object = object; - this.showPanel = false; - // this.adInfo$ = this.getInfo(); - } + this.treeObjectBehavior.$objectId.subscribe(id => { + this.object = id; + this.getInfo(); }); } @@ -50,38 +42,22 @@ export class AdViewComponent implements OnInit, AfterViewChecked { this.cdr.detectChanges(); } - objectSelected($event: ActiveDirectoryTreeType) { + objectSelected($event: string) { this.object = $event; } - /*getInfo() { + getInfo() { const req = { - indexPattern: this.object.source.indexPattern, - top: 10000, - sid: this.object.sid, + 'objectSid.equals': this.object, + page: 1, + size: 50 }; - return this.activeDirectoryService.queryUser(req, `api/utm-auditor-user-sid`) - .pipe( - tap(object => { - if (object.body) { - this.adInfo = this.object; - } - }) - ); - }*/ - - /*getInfo() { - const req = { - 'objectSid.equals': this.object, - page: 1, - size: 50 - }; - this.activeDirectoryService.query(req).subscribe(object => { - if (object.body) { - this.adInfo = object.body[0]; - } - }); - }*/ + this.activeDirectoryService.query(req).subscribe(object => { + if (object.body) { + this.adInfo = object.body[0]; + } + }); + } addToTracking() { const modalAddTracking = this.modalService.open(AdTrackerCreateComponent, {centered: true}); From 3e4d9e57a530fc117a7ac91a16f41fc6fdef67aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jorge=20Dieguez=20P=C3=A9rez?= Date: Thu, 28 Dec 2023 12:28:55 +0200 Subject: [PATCH 05/20] Update active-directory.service.ts --- .../shared/services/active-directory.service.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/frontend/src/app/active-directory/shared/services/active-directory.service.ts b/frontend/src/app/active-directory/shared/services/active-directory.service.ts index 529f5a21e..fb50cdfc3 100644 --- a/frontend/src/app/active-directory/shared/services/active-directory.service.ts +++ b/frontend/src/app/active-directory/shared/services/active-directory.service.ts @@ -4,19 +4,20 @@ import {Observable} from 'rxjs'; import {SERVER_API_URL} from '../../../app.constants'; import {createRequestOption} from '../../../shared/util/request-util'; import {ActiveDirectoryType} from '../types/active-directory.type'; +import {ActiveDirectoryUsers} from "../types/active-directory-users"; @Injectable({ providedIn: 'root' }) export class ActiveDirectoryService { - public resourceUrl = SERVER_API_URL + 'api/ad/active-directory-info-by-filter'; + public resourceUrl = SERVER_API_URL + 'api/utm-auditor-users-by-src'; constructor(private http: HttpClient) { } - query(req?: any): Observable> { + query(req?: any): Observable> { const options = createRequestOption(req); - return this.http.get(this.resourceUrl, {params: options, observe: 'response'}); + return this.http.get(this.resourceUrl, {params: options, observe: 'response'}); } queryUser(req?: any, urlSegment?: string): Observable> { From 1027f0284cb2b8c495b67372fc7b8e37e936c428 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jorge=20Dieguez=20P=C3=A9rez?= Date: Thu, 28 Dec 2023 10:36:54 +0000 Subject: [PATCH 06/20] adding ad users types --- .../shared/types/active-directory-user-source.ts | 5 +++++ .../shared/types/active-directory-users.ts | 10 ++++++++++ 2 files changed, 15 insertions(+) create mode 100644 frontend/src/app/active-directory/shared/types/active-directory-user-source.ts create mode 100644 frontend/src/app/active-directory/shared/types/active-directory-users.ts diff --git a/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts b/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts new file mode 100644 index 000000000..d2a81bfdb --- /dev/null +++ b/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts @@ -0,0 +1,5 @@ +export class ActiveDirectoryUserSource { + id: string; + indexPattern: string; + indexName: string; + } \ No newline at end of file diff --git a/frontend/src/app/active-directory/shared/types/active-directory-users.ts b/frontend/src/app/active-directory/shared/types/active-directory-users.ts new file mode 100644 index 000000000..f0cbcf2fa --- /dev/null +++ b/frontend/src/app/active-directory/shared/types/active-directory-users.ts @@ -0,0 +1,10 @@ +import {ActiveDirectoryUserSource} from './active-directory-user-source'; + +export class ActiveDirectoryUsers { + id: string; + sid: string; + name: string; + source: ActiveDirectoryUserSource; + createdDate: string; + modifiedDate: string; +} \ No newline at end of file From 81b4199f269d7b30d5a841f950ac986da117a8ab Mon Sep 17 00:00:00 2001 From: "Freddy R. Laffita Almaguer" Date: Thu, 28 Dec 2023 06:29:01 -0500 Subject: [PATCH 07/20] Adding azure filter fix was missing during moving to monorepo (#186) --- .../20231215001_updating_azure_filter.xml | 262 ++++++++++++++++++ .../resources/config/liquibase/master.xml | 2 + 2 files changed, 264 insertions(+) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20231215001_updating_azure_filter.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20231215001_updating_azure_filter.xml b/backend/src/main/resources/config/liquibase/changelog/20231215001_updating_azure_filter.xml new file mode 100644 index 000000000..0682f03d2 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20231215001_updating_azure_filter.xml @@ -0,0 +1,262 @@ + + + + + + + [ + "message", ''\"'', ''"'' + ] + } + +# Perform json transformation + json { + source => "message" + target => "azroot" + } +# Split fields in case of arrays +if ([azroot][records]) { + split { + field => "[azroot][records]" + target => "azroot" + } +} else if ([azroot]) { + split { + field => "azroot" + } +} +# Generating dataType and dataSource fields + if [@metadata][dataSource] { + mutate { + add_field => { + "dataType" => "azure" + } + #Add based on metadata + add_field => { + "dataSource" => "%{[@metadata][dataSource]}" + } + add_field => { + "[logx][tenant]" => "%{[@metadata][dataSource]}" + } + } + } + #Generating JSON structure of logx.azure + mutate { + #First, fields without fields inside, from the log example + rename => { "[azroot][id]" => "[logx][azure][id]" } + rename => { "[azroot][eventType]" => "[logx][azure][eventType]" } + rename => { "[azroot][subject]" => "[logx][azure][subject]" } + rename => { "[azroot][eventTime]" => "[logx][azure][eventTime]" } + rename => { "[azroot][topic]" => "[logx][azure][topic]" } + + #Then, fields inside [data] without fields inside, from the log example + rename => { "[azroot][data][tenantId]" => "[logx][azure][tenantId]" } + rename => { "[azroot][data][correlationId]" => "[logx][azure][correlationId]" } + rename => { "[azroot][data][resourceUri]" => "[logx][azure][resourceUri]" } + rename => { "[azroot][data][operationName]" => "[logx][azure][operationName]" } + rename => { "[azroot][data][operationVersion]" => "[logx][azure][operationVersion]" } + rename => { "[azroot][data][status]" => "[logx][azure][status]" } + rename => { "[azroot][data][subscriptionId]" => "[logx][azure][subscriptionId]" } + rename => { "[azroot][data][resourceProvider]" => "[logx][azure][resourceProvider]" } + + #Then fields in root level in the docs (first doc url), but not in the log examples, because operationName is inside [data] + # and in the docs are root level, we asume that the other must come in the same way + rename => { "[azroot][data][resourceId]" => "[logx][azure][resourceId]" } + rename => { "[azroot][data][category]" => "[logx][azure][category]" } + rename => { "[azroot][data][resultType]" => "[logx][azure][resultType]" } + rename => { "[azroot][data][resultSignature]" => "[logx][azure][resultSignature]" } + rename => { "[azroot][data][durationMs]" => "[logx][azure][durationMs]" } + rename => { "[azroot][data][callerIpAddress]" => "[logx][azure][callerIpAddress]" } + rename => { "[azroot][data][level]" => "[logx][azure][level]" } + rename => { "[azroot][data][location]" => "[logx][azure][location]" } + rename => { "[azroot][data][properties]" => "[logx][azure][properties]" } + + #Then fields in root level in the docs (second doc url), but not in the log examples, because operationName is inside [data] + # and in the docs are root level, we asume that the other must come in the same way + rename => { "[azroot][data][channels]" => "[logx][azure][channels]" } + rename => { "[azroot][data][description]" => "[logx][azure][description]" } + rename => { "[azroot][data][eventDataId]" => "[logx][azure][eventDataId]" } + rename => { "[azroot][data][eventName]" => "[logx][azure][eventName]" } + rename => { "[azroot][data][eventTimestamp]" => "[logx][azure][eventTimestamp]" } + rename => { "[azroot][data][operationId]" => "[logx][azure][operationId]" } + rename => { "[azroot][data][resourceGroupName]" => "[logx][azure][resourceGroupName]" } + rename => { "[azroot][data][resourceProviderName]" => "[logx][azure][resourceProviderName]" } + rename => { "[azroot][data][resourceType]" => "[logx][azure][resourceType]" } + rename => { "[azroot][data][subStatus]" => "[logx][azure][subStatus]" } + rename => { "[azroot][data][submissionTimestamp]" => "[logx][azure][submissionTimestamp]" } + rename => { "[azroot][data][relatedEvents]" => "[logx][azure][relatedEvents]" } + rename => { "[azroot][data][caller]" => "[logx][azure][caller]" } + + #Then, fields inside [data][authorization] without fields inside, from the log example + rename => { "[azroot][data][authorization][scope]" => "[logx][azure][auth_scope]" } + rename => { "[azroot][data][authorization][action]" => "[logx][azure][auth_action]" } + + #Then, fields inside [azroot][data][httpRequest] with fields inside, from the log example + rename => { "[azroot][data][httpRequest]" => "[logx][azure][httpRequest]" } + + #Then, fields inside [data][authorization][evidence], from the log example + rename => { "[azroot][data][authorization][evidence][role]" => "[logx][azure][auth_evidence_role]" } + rename => { "[azroot][data][authorization][evidence][roleAssignmentScope]" => "[logx][azure][auth_evidence_roleAssignmentScope]" } + rename => { "[azroot][data][authorization][evidence][roleAssignmentId]" => "[logx][azure][auth_evidence_roleAssignmentId]" } + rename => { "[azroot][data][authorization][evidence][principalId]" => "[logx][azure][auth_evidence_principalId]" } + rename => { "[azroot][data][authorization][evidence][principalType]" => "[logx][azure][auth_evidence_principalType]" } + rename => { "[azroot][data][authorization][evidence][roleDefinitionId]" => "[logx][azure][auth_evidence_roleDefinitionId]" } + + #Then, fields inside [data][claims], from the log example and match with docs at root level + rename => { "[azroot][data][claims][aud]" => "[logx][azure][claims_aud]" } + rename => { "[azroot][data][claims][iss]" => "[logx][azure][claims_iss]" } + rename => { "[azroot][data][claims][iat]" => "[logx][azure][claims_iat]" } + rename => { "[azroot][data][claims][nbf]" => "[logx][azure][claims_nbf]" } + rename => { "[azroot][data][claims][exp]" => "[logx][azure][claims_exp]" } + rename => { "[azroot][data][claims][ver]" => "[logx][azure][claims_ver]" } + rename => { "[azroot][data][claims][http://schemas.microsoft.com/identity/claims/tenantid]" => "[logx][azure][claims_tenantid]" } + rename => { "[azroot][data][claims][http://schemas.microsoft.com/claims/authnmethodsreferences]" => "[logx][azure][claims_authnmethodsreferences]" } + rename => { "[azroot][data][claims][http://schemas.microsoft.com/identity/claims/objectidentifier]" => "[logx][azure][claims_objectidentifier]" } + rename => { "[azroot][data][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn]" => "[logx][azure][claims_upn]" } + rename => { "[azroot][data][claims][puid]" => "[logx][azure][claims_puid]" } + rename => { "[azroot][data][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier]" => "[logx][azure][claims_nameidentifier]" } + rename => { "[azroot][data][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname]" => "[logx][azure][claims_givenname]" } + rename => { "[azroot][data][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname]" => "[logx][azure][claims_surname]" } + rename => { "[azroot][data][claims][name]" => "[logx][azure][claims_name]" } + rename => { "[azroot][data][claims][groups]" => "[logx][azure][claims_groups]" } + rename => { "[azroot][data][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name]" => "[logx][azure][claims_identity_name]" } + rename => { "[azroot][data][claims][appid]" => "[logx][azure][claims_appid]" } + rename => { "[azroot][data][claims][http://schemas.microsoft.com/identity/claims/scope]" => "[logx][azure][claims_scope]" } + rename => { "[azroot][data][claims][appidacr]" => "[logx][azure][claims_appidacr]" } + rename => { "[azroot][data][claims][http://schemas.microsoft.com/claims/authnclassreference]" => "[logx][azure][claims_authnclassreference]" } + + #Then, fields inside [data][claims] not in doc but in log examples provided + rename => { "[azroot][data][claims][ipaddr]" => "[logx][azure][src_ip]" } + rename => { "[azroot][data][claims][xms_tcdt]" => "[logx][azure][claims_xms_tcdt]" } + rename => { "[azroot][data][claims][rh]" => "[logx][azure][claims_rh]" } + rename => { "[azroot][data][claims][aio]" => "[logx][azure][claims_aio]" } + rename => { "[azroot][data][claims][uti]" => "[logx][azure][claims_uti]" } + } + #Generating JSON structure of logx.azure (Newer version 12-2023) + mutate { + + #Then, fields without fields inside, from the log example + rename => { "[azroot][properties]" => "[logx][azure][properties]" } + rename => { "[azroot][time]" => "[logx][azure][time]" } + rename => { "[azroot][identity]" => "[logx][azure][identity]" } + rename => { "[azroot][Level]" => "[logx][azure][Level]" } + rename => { "[azroot][operationVersion]" => "[logx][azure][operationVersion]" } + + rename => { "[azroot][tenantId]" => "[logx][azure][tenantId]" } + rename => { "[azroot][correlationId]" => "[logx][azure][correlationId]" } + rename => { "[azroot][resourceUri]" => "[logx][azure][resourceUri]" } + rename => { "[azroot][operationName]" => "[logx][azure][operationName]" } + rename => { "[azroot][status]" => "[logx][azure][status]" } + rename => { "[azroot][subscriptionId]" => "[logx][azure][subscriptionId]" } + rename => { "[azroot][resourceProvider]" => "[logx][azure][resourceProvider]" } + + #Then fields in root level in the docs (first doc url), but not in the log examples, because operationName is inside [data] + # and in the docs are root level, we asume that the other must come in the same way + rename => { "[azroot][resourceId]" => "[logx][azure][resourceId]" } + rename => { "[azroot][category]" => "[logx][azure][category]" } + rename => { "[azroot][resultType]" => "[logx][azure][resultType]" } + rename => { "[azroot][resultSignature]" => "[logx][azure][resultSignature]" } + rename => { "[azroot][durationMs]" => "[logx][azure][durationMs]" } + rename => { "[azroot][callerIpAddress]" => "[logx][azure][callerIpAddress]" } + rename => { "[azroot][level]" => "[logx][azure][level]" } + rename => { "[azroot][location]" => "[logx][azure][location]" } + rename => { "[azroot][properties]" => "[logx][azure][properties]" } + + #Then fields in root level in the docs (second doc url), but not in the log examples, because operationName is inside the root + rename => { "[azroot][channels]" => "[logx][azure][channels]" } + rename => { "[azroot][description]" => "[logx][azure][description]" } + rename => { "[azroot][eventDataId]" => "[logx][azure][eventDataId]" } + rename => { "[azroot][eventName]" => "[logx][azure][eventName]" } + rename => { "[azroot][eventTimestamp]" => "[logx][azure][eventTimestamp]" } + rename => { "[azroot][operationId]" => "[logx][azure][operationId]" } + rename => { "[azroot][resourceGroupName]" => "[logx][azure][resourceGroupName]" } + rename => { "[azroot][resourceProviderName]" => "[logx][azure][resourceProviderName]" } + rename => { "[azroot][resourceType]" => "[logx][azure][resourceType]" } + rename => { "[azroot][subStatus]" => "[logx][azure][subStatus]" } + rename => { "[azroot][submissionTimestamp]" => "[logx][azure][submissionTimestamp]" } + rename => { "[azroot][relatedEvents]" => "[logx][azure][relatedEvents]" } + rename => { "[azroot][caller]" => "[logx][azure][caller]" } + + #Then, fields inside [authorization] without fields inside, from the log example + rename => { "[azroot][authorization][scope]" => "[logx][azure][auth_scope]" } + rename => { "[azroot][authorization][action]" => "[logx][azure][auth_action]" } + + #Then, fields inside [azroot][httpRequest] with fields inside, from the log example + rename => { "[azroot][httpRequest]" => "[logx][azure][httpRequest]" } + + #Then, fields inside [authorization][evidence], from the log example + rename => { "[azroot][authorization][evidence][role]" => "[logx][azure][auth_evidence_role]" } + rename => { "[azroot][authorization][evidence][roleAssignmentScope]" => "[logx][azure][auth_evidence_roleAssignmentScope]" } + rename => { "[azroot][authorization][evidence][roleAssignmentId]" => "[logx][azure][auth_evidence_roleAssignmentId]" } + rename => { "[azroot][authorization][evidence][principalId]" => "[logx][azure][auth_evidence_principalId]" } + rename => { "[azroot][authorization][evidence][principalType]" => "[logx][azure][auth_evidence_principalType]" } + rename => { "[azroot][authorization][evidence][roleDefinitionId]" => "[logx][azure][auth_evidence_roleDefinitionId]" } + + #Then, fields inside [claims], from the log example and match with docs at root level + rename => { "[azroot][claims][aud]" => "[logx][azure][claims_aud]" } + rename => { "[azroot][claims][iss]" => "[logx][azure][claims_iss]" } + rename => { "[azroot][claims][iat]" => "[logx][azure][claims_iat]" } + rename => { "[azroot][claims][nbf]" => "[logx][azure][claims_nbf]" } + rename => { "[azroot][claims][exp]" => "[logx][azure][claims_exp]" } + rename => { "[azroot][claims][ver]" => "[logx][azure][claims_ver]" } + rename => { "[azroot][claims][http://schemas.microsoft.com/identity/claims/tenantid]" => "[logx][azure][claims_tenantid]" } + rename => { "[azroot][claims][http://schemas.microsoft.com/claims/authnmethodsreferences]" => "[logx][azure][claims_authnmethodsreferences]" } + rename => { "[azroot][claims][http://schemas.microsoft.com/identity/claims/objectidentifier]" => "[logx][azure][claims_objectidentifier]" } + rename => { "[azroot][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn]" => "[logx][azure][claims_upn]" } + rename => { "[azroot][claims][puid]" => "[logx][azure][claims_puid]" } + rename => { "[azroot][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier]" => "[logx][azure][claims_nameidentifier]" } + rename => { "[azroot][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname]" => "[logx][azure][claims_givenname]" } + rename => { "[azroot][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname]" => "[logx][azure][claims_surname]" } + rename => { "[azroot][claims][name]" => "[logx][azure][claims_name]" } + rename => { "[azroot][claims][groups]" => "[logx][azure][claims_groups]" } + rename => { "[azroot][claims][http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name]" => "[logx][azure][claims_identity_name]" } + rename => { "[azroot][claims][appid]" => "[logx][azure][claims_appid]" } + rename => { "[azroot][claims][http://schemas.microsoft.com/identity/claims/scope]" => "[logx][azure][claims_scope]" } + rename => { "[azroot][claims][appidacr]" => "[logx][azure][claims_appidacr]" } + rename => { "[azroot][claims][http://schemas.microsoft.com/claims/authnclassreference]" => "[logx][azure][claims_authnclassreference]" } + + #Then, fields inside [claims] not in doc but in log examples provided + rename => { "[azroot][claims][ipaddr]" => "[logx][azure][src_ip]" } + rename => { "[azroot][claims][xms_tcdt]" => "[logx][azure][claims_xms_tcdt]" } + rename => { "[azroot][claims][rh]" => "[logx][azure][claims_rh]" } + rename => { "[azroot][claims][aio]" => "[logx][azure][claims_aio]" } + rename => { "[azroot][claims][uti]" => "[logx][azure][claims_uti]" } + } + # Renaming message at the end + mutate { + rename => { "[message]" => "[logx][azure][message]" } + } + + #Finally remove unused fields + mutate { + remove_field => ["path","@version","dataVersion","[data][time]","metadataVersion","type","data","azroot","headers"] + } +} +#Also, remove unwanted fields if the message not match with conditions + mutate { + remove_field => ["@version","path","headers"] + } +} +' + WHERE id=201; + + ]]> + + + diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index d78cb959a..94f4689fe 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -24,4 +24,6 @@ + + From 83abbc23592346a7d040c0d6321267157d2f958a Mon Sep 17 00:00:00 2001 From: "Freddy R. Laffita Almaguer" Date: Thu, 28 Dec 2023 06:47:17 -0500 Subject: [PATCH 08/20] Adding some files missing from old repository for user-auditor module --- .../active-directory.component.html | 6 +- .../src/app/active-directory/offline.data.ts | 2 + .../shared/behavior/tree-object.behvior.ts | 10 +- .../active-directory-detail.component.html | 17 ++- .../active-directory-detail.component.scss | 4 + .../active-directory-detail.component.ts | 3 +- .../active-directory-event.component.ts | 2 +- .../active-directory-tree.component.html | 12 +- .../active-directory-tree.component.scss | 1 + .../active-directory-tree.component.ts | 120 +++++++++++------- .../event-timeline.component.html | 42 +++--- .../event-timeline.component.scss | 2 +- .../event-timeline.component.ts | 50 ++++---- .../shared/services/winlogbeat.service.ts | 2 +- .../types/active-directory-tree.type.ts | 1 + .../types/active-directory-user-source.ts | 8 +- .../shared/types/active-directory-users.ts | 2 +- .../active-directory-view.component.html | 11 +- .../active-directory-view.component.ts | 58 ++++++--- 19 files changed, 215 insertions(+), 138 deletions(-) create mode 100644 frontend/src/app/active-directory/offline.data.ts diff --git a/frontend/src/app/active-directory/active-directory.component.html b/frontend/src/app/active-directory/active-directory.component.html index a37dca7c9..77c970a15 100644 --- a/frontend/src/app/active-directory/active-directory.component.html +++ b/frontend/src/app/active-directory/active-directory.component.html @@ -1,9 +1,9 @@
- Active directory + Users with Activity
-
    +
diff --git a/frontend/src/app/active-directory/offline.data.ts b/frontend/src/app/active-directory/offline.data.ts new file mode 100644 index 000000000..2f07ee6dd --- /dev/null +++ b/frontend/src/app/active-directory/offline.data.ts @@ -0,0 +1,2 @@ +// tslint:disable-next-line:max-line-length +export const data = [{computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:55:44.429Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431857', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52564', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x197d2db', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x197D2DB\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52564\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '16aa35e5-9e5b-4075-8542-9b5cc4255a58', dataSource: 'KOK62KHGPA6', es_metadata_id: '16aa35e5-9e5b-4075-8542-9b5cc4255a58'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:55:22.095Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431854', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52560', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x197befa', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x197BEFA\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52560\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'd03f954c-828b-4c3d-86ac-7d524a736017', dataSource: 'KOK62KHGPA6', es_metadata_id: 'd03f954c-828b-4c3d-86ac-7d524a736017'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:54:43.414Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431851', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52556', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1979f30', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1979F30\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52556\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '63bcd54a-13af-4faa-a623-37449d8694de', dataSource: 'KOK62KHGPA6', es_metadata_id: '63bcd54a-13af-4faa-a623-37449d8694de'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:54:42.975Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431848', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52555', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1979ea6', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1979EA6\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52555\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '9537f6b0-683e-4196-a708-66a7b6cb9425', dataSource: 'KOK62KHGPA6', es_metadata_id: '9537f6b0-683e-4196-a708-66a7b6cb9425'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:54:42.960Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431845', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52554', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1979e40', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1979E40\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52554\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '4ac248c3-a2f2-4afd-8266-671b5467e452', dataSource: 'KOK62KHGPA6', es_metadata_id: '4ac248c3-a2f2-4afd-8266-671b5467e452'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:54:22.089Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431842', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52551', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19789c0', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19789C0\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52551\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'd01486eb-d8a6-4465-9744-7ce6da156d4a', dataSource: 'KOK62KHGPA6', es_metadata_id: 'd01486eb-d8a6-4465-9744-7ce6da156d4a'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:53:42.411Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431838', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52547', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19768df', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19768DF\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52547\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '380904f7-d7c1-4195-9757-6709430568d1', dataSource: 'KOK62KHGPA6', es_metadata_id: '380904f7-d7c1-4195-9757-6709430568d1'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:53:22.072Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431835', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52544', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19756b4', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19756B4\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52544\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '73be6bea-75bc-4212-ae84-586a5025b8bb', dataSource: 'KOK62KHGPA6', es_metadata_id: '73be6bea-75bc-4212-ae84-586a5025b8bb'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:41.410Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431832', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52540', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19734d8', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19734D8\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52540\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'e9669886-31cd-4a84-b7c5-9528fbc75e62', dataSource: 'KOK62KHGPA6', es_metadata_id: 'e9669886-31cd-4a84-b7c5-9528fbc75e62'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:22.063Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431829', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52538', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19724b3', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19724B3\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52538\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '18645564-f08e-4e40-b578-03aae14dabcb', dataSource: 'KOK62KHGPA6', es_metadata_id: '18645564-f08e-4e40-b578-03aae14dabcb'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:19.521Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431824', event_data: {ProcessName: 'C:\\Windows\\System32\\services.exe', LogonGuid: '{00000000-0000-0000-0000-000000000000}', LogonType: '5', IpPort: '-', SubjectLogonId: '0x3e7', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x3e7', SubjectUserName: 'KOK62KHGPA6$', IpAddress: '-', SubjectDomainName: 'UTMSTACK', ImpersonationLevel: '%%1833', ProcessId: '0x25c', TargetUserName: 'SYSTEM', LogonProcessName: 'Advapi ', TargetDomainName: 'NT AUTHORITY', SubjectUserSid: 'S-1-5-18', AuthenticationPackageName: 'Negotiate', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x25c\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 3664.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'c8014a27-5130-4067-abc3-13f31b4d44dc', dataSource: 'KOK62KHGPA6', es_metadata_id: 'c8014a27-5130-4067-abc3-13f31b4d44dc'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:19.365Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431817', event_data: {ProcessName: 'C:\\Windows\\System32\\services.exe', LogonGuid: '{00000000-0000-0000-0000-000000000000}', LogonType: '5', IpPort: '-', SubjectLogonId: '0x3e7', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x3e7', SubjectUserName: 'KOK62KHGPA6$', IpAddress: '-', SubjectDomainName: 'UTMSTACK', ImpersonationLevel: '%%1833', ProcessId: '0x25c', TargetUserName: 'SYSTEM', LogonProcessName: 'Advapi ', TargetDomainName: 'NT AUTHORITY', SubjectUserSid: 'S-1-5-18', AuthenticationPackageName: 'Negotiate', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x25c\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 3664.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'cde7d68a-fff4-4501-a202-e7bcdb893ef4', dataSource: 'KOK62KHGPA6', es_metadata_id: 'cde7d68a-fff4-4501-a202-e7bcdb893ef4'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:02.716Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431801', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '52534', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196dd2a', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196DD2A\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52534\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 4240.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '390fc93c-d652-464b-b5a6-8af375982ee3', dataSource: 'KOK62KHGPA6', es_metadata_id: '390fc93c-d652-464b-b5a6-8af375982ee3'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:02.605Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431797', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '52533', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196db29', SubjectUserName: '-', IpAddress: '10.28.140.11', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196DB29\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t10.28.140.11\n\tSource Port:\t\t52533\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'da2119da-83e1-45d1-af09-c0d0d727dada', dataSource: 'KOK62KHGPA6', es_metadata_id: 'da2119da-83e1-45d1-af09-c0d0d727dada'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:02.590Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431793', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '52532', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196d9ff', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196D9FF\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52532\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'b0bd49c5-80a6-4651-83a9-84d4f5c4c572', dataSource: 'KOK62KHGPA6', es_metadata_id: 'b0bd49c5-80a6-4651-83a9-84d4f5c4c572'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:52:02.590Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431795', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '0', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196dae7', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196DAE7\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 4240.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '77c83499-840a-4c56-885f-e11736a40179', dataSource: 'KOK62KHGPA6', es_metadata_id: '77c83499-840a-4c56-885f-e11736a40179'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:51:40.407Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431790', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52530', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196c6f9', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196C6F9\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52530\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '249781f9-422e-43a8-b8ed-aadfced78f27', dataSource: 'KOK62KHGPA6', es_metadata_id: '249781f9-422e-43a8-b8ed-aadfced78f27'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:51:22.050Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431787', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52527', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196b704', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196B704\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52527\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '03124a93-296c-4fbe-9008-e9d63b21ed0b', dataSource: 'KOK62KHGPA6', es_metadata_id: '03124a93-296c-4fbe-9008-e9d63b21ed0b'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:50:39.392Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431783', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52523', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19693d5', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19693D5\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52523\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '0111be00-70ef-4efd-af0c-a9c763013915', dataSource: 'KOK62KHGPA6', es_metadata_id: '0111be00-70ef-4efd-af0c-a9c763013915'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:50:22.038Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431780', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52521', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19684d2', SubjectUserName: '-', IpAddress: '::1', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19684D2\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t::1\n\tSource Port:\t\t52521\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '20db59b9-6c0b-4bb6-9acf-5729b1744a7e', dataSource: 'KOK62KHGPA6', es_metadata_id: '20db59b9-6c0b-4bb6-9acf-5729b1744a7e'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:50:18.227Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431773', event_data: {ProcessName: 'C:\\Windows\\System32\\services.exe', LogonGuid: '{00000000-0000-0000-0000-000000000000}', LogonType: '5', IpPort: '-', SubjectLogonId: '0x3e7', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x3e7', SubjectUserName: 'KOK62KHGPA6$', IpAddress: '-', SubjectDomainName: 'UTMSTACK', ImpersonationLevel: '%%1833', ProcessId: '0x25c', TargetUserName: 'SYSTEM', LogonProcessName: 'Advapi ', TargetDomainName: 'NT AUTHORITY', SubjectUserSid: 'S-1-5-18', AuthenticationPackageName: 'Negotiate', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x25c\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 3152.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'a701a141-e752-4224-98cb-721b6272bc15', dataSource: 'KOK62KHGPA6', es_metadata_id: 'a701a141-e752-4224-98cb-721b6272bc15'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:49:42.662Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431771', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52517', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1963af8', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1963AF8\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52517\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2596.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '31391e9c-b734-40d4-982e-1cc84bcbedc6', dataSource: 'KOK62KHGPA6', es_metadata_id: '31391e9c-b734-40d4-982e-1cc84bcbedc6'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:49:42.646Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431768', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52516', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x1963a96', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1833', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x1963A96\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52516\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'bbc7db53-880a-4005-ba13-4fc458552006', dataSource: 'KOK62KHGPA6', es_metadata_id: 'bbc7db53-880a-4005-ba13-4fc458552006'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:49:38.380Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431765', event_data: {ProcessName: '-', LogonGuid: '{C4DA259E-4A44-3E9C-C690-1703B1EC2642}', LogonType: '3', IpPort: '52514', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x196351a', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x196351A\n\tLogon GUID:\t\t{C4DA259E-4A44-3E9C-C690-1703B1EC2642}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52514\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 2592.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '03711076-3f77-47c3-830c-d3d34fae5805', dataSource: 'KOK62KHGPA6', es_metadata_id: '03711076-3f77-47c3-830c-d3d34fae5805'}, {computer_name: 'KOK62KHGPA6.utmstack.demo', '@timestamp': '2021-11-10T20:49:23.055Z', logx: {type: 'wineventlog', wineventlog: {process_id: 612.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1431762', event_data: {ProcessName: '-', LogonGuid: '{25D27D8A-F08C-8574-FB82-A40D416DE1D0}', LogonType: '3', IpPort: '52511', SubjectLogonId: '0x0', TransmittedServices: '-', KeyLength: '0', LmPackageName: '-', TargetLogonId: '0x19626cc', SubjectUserName: '-', IpAddress: 'fe80::d57a:68ee:9d1d:f2ff', SubjectDomainName: '-', ImpersonationLevel: '%%1840', ProcessId: '0x0', TargetUserName: 'KOK62KHGPA6$', LogonProcessName: 'Kerberos', TargetDomainName: 'UTMSTACK', SubjectUserSid: 'S-1-0-0', AuthenticationPackageName: 'Kerberos', TargetUserSid: 'S-1-5-18'}, message: 'An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tDelegation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKOK62KHGPA6$\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x19626CC\n\tLogon GUID:\t\t{25D27D8A-F08C-8574-FB82-A40D416DE1D0}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\tfe80::d57a:68ee:9d1d:f2ff\n\tSource Port:\t\t52511\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.', opcode: 'Info', version: 1.0, tags: ['beats_input_codec_plain_applied'], thread_id: 3664.0, event_id: 4624.0, task: 'Logon', provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, host: {os: {build: '9600.0', name: 'Windows Server 2012 R2 Datacenter Evaluation', family: 'windows', version: '6.3', platform: 'windows'}, name: 'KOK62KHGPA6', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', architecture: 'x86_64'}, event_name: 'An account was successfully logged on', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: 'a282dfa2-d472-4b32-86a3-88a2f3d0a6a5', dataSource: 'KOK62KHGPA6', es_metadata_id: 'a282dfa2-d472-4b32-86a3-88a2f3d0a6a5'}, {'@timestamp': '2021-11-07T19:18:32.323Z', logx: {type: 'wineventlog', wineventlog: {process_id: 560.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '54', event_data: {TargetSid: 'S-1-5-21-3647638308-2371132834-3234585743-504', SidHistory: '-', LogonHours: '%%1797', ScriptPath: '%%1793', DisplayName: '%%1793', HomePath: '%%1793', AllowedToDelegateTo: '-', TargetDomainName: 'MINWINPC', PrivilegeList: '-', UserWorkstations: '%%1793', SamAccountName: 'WDAGUtilityAccount', HomeDirectory: '%%1793', OldUacValue: '0x0', UserParameters: '%%1793', NewUacValue: '0x15', SubjectLogonId: '0x3e7', PrimaryGroupId: '513', AccountExpires: '%%1794', ProfilePath: '%%1793', SubjectUserName: 'MINWINPC$', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', PasswordLastSet: '%%1794', UserPrincipalName: '-', TargetUserName: 'WDAGUtilityAccount', SubjectUserSid: 'S-1-5-18'}, message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tMINWINPC$\n\tAccount Domain:\t\t\n\tLogon ID:\t\t0x3E7\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-3647638308-2371132834-3234585743-504\n\tAccount Name:\t\tWDAGUtilityAccount\n\tAccount Domain:\t\tMINWINPC\n\nAttributes:\n\tSAM Account Name:\tWDAGUtilityAccount\n\tDisplay Name:\t\t\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\n\tHome Drive:\t\t\n\tScript Path:\t\t\n\tProfile Path:\t\t\n\tUser Workstations:\t\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', tags: ['beats_input_codec_plain_applied'], thread_id: 564.0, event_id: 4720.0, task: 'User Account Management', provider_guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', activity_id: '{440d5227-c130-0000-d654-0d4430c1d701}', beat: {hostname: 'WIN-A25THL0M2FV', name: 'WIN-A25THL0M2FV', version: '6.7.0'}, host: {os: {build: '17763.737', name: 'Windows Server 2019 Datacenter Evaluation', family: 'windows', version: '10.0', platform: 'windows'}, name: 'WIN-A25THL0M2FV', id: '049e6ce3-701d-4b71-8800-20f898d12be9', architecture: 'x86_64'}, event_name: 'A user account was created', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '32eac8da-ced6-403b-9f9a-3166bb314a45', dataSource: 'WIN-A25THL0M2FV', es_metadata_id: '32eac8da-ced6-403b-9f9a-3166bb314a45'}, {'@timestamp': '2021-11-07T17:33:44.230Z', logx: {type: 'wineventlog', wineventlog: {process_id: 536.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1276', event_data: {TargetSid: 'S-1-5-21-304306559-1031592495-3937790709-504', SidHistory: '-', LogonHours: '%%1797', ScriptPath: '%%1793', DisplayName: '%%1793', HomePath: '%%1793', SubjectDomainName: 'NT AUTHORITY', AllowedToDelegateTo: '-', TargetDomainName: 'WIN-A25THL0M2FV', PrivilegeList: '-', UserWorkstations: '%%1793', SamAccountName: 'WDAGUtilityAccount', HomeDirectory: '%%1793', OldUacValue: '0x0', UserParameters: '%%1793', NewUacValue: '0x15', SubjectLogonId: '0x3e6', PrimaryGroupId: '513', AccountExpires: '%%1794', ProfilePath: '%%1793', SubjectUserName: 'ANONYMOUS LOGON', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', PasswordLastSet: '%%1794', UserPrincipalName: '-', TargetUserName: 'WDAGUtilityAccount', SubjectUserSid: 'S-1-5-7'}, message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E6\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-304306559-1031592495-3937790709-504\n\tAccount Name:\t\tWDAGUtilityAccount\n\tAccount Domain:\t\tWIN-A25THL0M2FV\n\nAttributes:\n\tSAM Account Name:\tWDAGUtilityAccount\n\tDisplay Name:\t\t\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\n\tHome Drive:\t\t\n\tScript Path:\t\t\n\tProfile Path:\t\t\n\tUser Workstations:\t\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', tags: ['beats_input_codec_plain_applied'], thread_id: 540.0, event_id: 4720.0, task: 'User Account Management', provider_guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', beat: {hostname: 'WIN-A25THL0M2FV', name: 'WIN-A25THL0M2FV', version: '6.7.0'}, host: {os: {build: '17763.737', name: 'Windows Server 2019 Datacenter Evaluation', family: 'windows', version: '10.0', platform: 'windows'}, name: 'WIN-A25THL0M2FV', id: '049e6ce3-701d-4b71-8800-20f898d12be9', architecture: 'x86_64'}, event_name: 'A user account was created', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '1bcde695-3d2a-44a1-bbc9-6c637d01646f', dataSource: 'WIN-A25THL0M2FV.utmstack.local', es_metadata_id: '1bcde695-3d2a-44a1-bbc9-6c637d01646f'}, {'@timestamp': '2021-11-07T17:33:44.096Z', logx: {type: 'wineventlog', wineventlog: {process_id: 536.0, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', record_number: '1219', event_data: {TargetSid: 'S-1-5-21-3647638308-2371132834-3234585743-502', SidHistory: '-', LogonHours: '%%1793', ScriptPath: '%%1793', DisplayName: '%%1793', HomePath: '%%1793', SubjectDomainName: 'NT AUTHORITY', AllowedToDelegateTo: '-', TargetDomainName: 'UTMSTACK', PrivilegeList: '-', UserWorkstations: '%%1793', SamAccountName: 'krbtgt', HomeDirectory: '%%1793', OldUacValue: '0x0', UserParameters: '%%1792', NewUacValue: '0x15', SubjectLogonId: '0x3e6', PrimaryGroupId: '513', AccountExpires: '%%1794', ProfilePath: '%%1793', SubjectUserName: 'ANONYMOUS LOGON', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', PasswordLastSet: '%%1794', UserPrincipalName: '-', TargetUserName: 'krbtgt', SubjectUserSid: 'S-1-5-7'}, message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E6\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-3647638308-2371132834-3234585743-502\n\tAccount Name:\t\tkrbtgt\n\tAccount Domain:\t\tUTMSTACK\n\nAttributes:\n\tSAM Account Name:\tkrbtgt\n\tDisplay Name:\t\t\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\n\tHome Drive:\t\t\n\tScript Path:\t\t\n\tProfile Path:\t\t\n\tUser Workstations:\t\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t\n\tSID History:\t\t-\n\tLogon Hours:\t\t\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', tags: ['beats_input_codec_plain_applied'], thread_id: 540.0, event_id: 4720.0, task: 'User Account Management', provider_guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', beat: {hostname: 'WIN-A25THL0M2FV', name: 'WIN-A25THL0M2FV', version: '6.7.0'}, host: {os: {build: '17763.737', name: 'Windows Server 2019 Datacenter Evaluation', family: 'windows', version: '10.0', platform: 'windows'}, name: 'WIN-A25THL0M2FV', id: '049e6ce3-701d-4b71-8800-20f898d12be9', architecture: 'x86_64'}, event_name: 'A user account was created', source_name: 'Microsoft-Windows-Security-Auditing'}}, dataType: 'wineventlog', '@version': '1', global: {type: 'logx'}, id: '79a19537-b0e7-438c-8925-147f7b3b2c00', dataSource: 'WIN-A25THL0M2FV.utmstack.local', es_metadata_id: '79a19537-b0e7-438c-8925-147f7b3b2c00'}, {'@timestamp': '2021-10-14T22:27:25.943Z', '@version': '1', computer_name: 'KOK62KHGPA6.utmstack.demo', dataSource: 'KOK62KHGPA6', dataType: 'wineventlog', global: {type: 'logx'}, id: 'adf84ed0-6957-4031-ad2f-6c1b43f42c5c', logx: {type: 'wineventlog', wineventlog: {beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, event_data: {AccountExpires: '%%1794', AllowedToDelegateTo: '-', DisplayName: 'Gouresh K', HomeDirectory: '-', HomePath: '-', LogonHours: '%%1793', NewUacValue: '0x15', OldUacValue: '0x0', PasswordLastSet: '%%1794', PrimaryGroupId: '513', PrivilegeList: '-', ProfilePath: '-', SamAccountName: 'gouresh', ScriptPath: '-', SidHistory: '-', SubjectDomainName: 'UTMSTACK', SubjectLogonId: '0x85abbf7', SubjectUserName: 'Administrator', SubjectUserSid: 'S-1-5-21-2132650514-2599053231-678728588-500', TargetDomainName: 'UTMSTACK', TargetSid: 'S-1-5-21-2132650514-2599053231-678728588-3730', TargetUserName: 'gouresh', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', UserParameters: '-', UserPrincipalName: 'gouresh@utmstack.demo', UserWorkstations: '-'}, event_id: 4720.0, event_name: 'A user account was created', host: {architecture: 'x86_64', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', name: 'KOK62KHGPA6', os: {build: '9600.0', family: 'windows', name: 'Windows Server 2012 R2 Datacenter Evaluation', platform: 'windows', version: '6.3'}}, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x85ABBF7\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-3730\n\tAccount Name:\t\tgouresh\n\tAccount Domain:\t\tUTMSTACK\n\nAttributes:\n\tSAM Account Name:\tgouresh\n\tDisplay Name:\t\tGouresh K\n\tUser Principal Name:\tgouresh@utmstack.demo\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', process_id: 604.0, provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', record_number: '1408110', source_name: 'Microsoft-Windows-Security-Auditing', tags: ['beats_input_codec_plain_applied'], task: 'User Account Management', thread_id: 2184.0}}, es_metadata_id: 'adf84ed0-6957-4031-ad2f-6c1b43f42c5c'}, {'@timestamp': '2021-10-14T18:54:05.449Z', '@version': '1', computer_name: 'KOK62KHGPA6.utmstack.demo', dataSource: 'KOK62KHGPA6', dataType: 'wineventlog', global: {type: 'logx'}, id: '6e94be72-d134-41f4-9354-560c8825fcca', logx: {type: 'wineventlog', wineventlog: {beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, event_data: {AccountExpires: '%%1794', AllowedToDelegateTo: '-', DisplayName: 'Harry Potter', HomeDirectory: '-', HomePath: '-', LogonHours: '%%1793', NewUacValue: '0x15', OldUacValue: '0x0', PasswordLastSet: '%%1794', PrimaryGroupId: '513', PrivilegeList: '-', ProfilePath: '-', SamAccountName: 'Harry', ScriptPath: '-', SidHistory: '-', SubjectDomainName: 'UTMSTACK', SubjectLogonId: '0x85abbf7', SubjectUserName: 'Administrator', SubjectUserSid: 'S-1-5-21-2132650514-2599053231-678728588-500', TargetDomainName: 'UTMSTACK', TargetSid: 'S-1-5-21-2132650514-2599053231-678728588-3731', TargetUserName: 'Harry', UserAccountControl: '\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084', UserParameters: '-', UserPrincipalName: 'Harry@utmstack.demo', UserWorkstations: '-'}, event_id: 4720.0, event_name: 'A user account was created', host: {architecture: 'x86_64', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', name: 'KOK62KHGPA6', os: {build: '9600.0', family: 'windows', name: 'Windows Server 2012 R2 Datacenter Evaluation', platform: 'windows', version: '6.3'}}, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x85ABBF7\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-3731\n\tAccount Name:\t\tHarry\n\tAccount Domain:\t\tUTMSTACK\n\nAttributes:\n\tSAM Account Name:\tHarry\n\tDisplay Name:\t\tHarry Potter\n\tUser Principal Name:\tHarry@utmstack.demo\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Password Not Required\' - Enabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', process_id: 604.0, provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', record_number: '1408545', source_name: 'Microsoft-Windows-Security-Auditing', tags: ['beats_input_codec_plain_applied'], task: 'User Account Management', thread_id: 1796.0}}, es_metadata_id: '6e94be72-d134-41f4-9354-560c8825fcca'}, {'@timestamp': '2021-10-08T17:06:54.425Z', '@version': '1', computer_name: 'KOK62KHGPA6.utmstack.demo', dataSource: 'KOK62KHGPA6', dataType: 'wineventlog', global: {type: 'logx'}, id: '84d0088d-b29c-4a27-bb37-2ece8f9e73ed', logx: {type: 'wineventlog', wineventlog: {beat: {hostname: 'KOK62KHGPA6', version: '6.7.0'}, event_data: {AccountExpires: '%%1794', AllowedToDelegateTo: '-', DisplayName: 'test', HomeDirectory: '-', HomePath: '-', LogonHours: '%%1793', NewUacValue: '0x11', OldUacValue: '0x0', PasswordLastSet: '%%1794', PrimaryGroupId: '513', PrivilegeList: '-', ProfilePath: '-', SamAccountName: 'test', ScriptPath: '-', SidHistory: '-', SubjectDomainName: 'UTMSTACK', SubjectLogonId: '0x4ac61', SubjectUserName: 'Administrator', SubjectUserSid: 'S-1-5-21-2132650514-2599053231-678728588-500', TargetDomainName: 'UTMSTACK', TargetSid: 'S-1-5-21-2132650514-2599053231-678728588-3729', TargetUserName: 'test', UserAccountControl: '\n\t\t%%2080\n\t\t%%2084', UserParameters: '-', UserPrincipalName: '-', UserWorkstations: '-'}, event_id: 4720.0, event_name: 'A user account was created', host: {architecture: 'x86_64', id: '3876f310-c1f6-4c7d-9c8f-f7028c2d6106', name: 'KOK62KHGPA6', os: {build: '9600.0', family: 'windows', name: 'Windows Server 2012 R2 Datacenter Evaluation', platform: 'windows', version: '6.3'}}, keywords: ['Audit Success'], level: 'Information', log_name: 'Security', message: 'A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tUTMSTACK\n\tLogon ID:\t\t0x4AC61\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-2132650514-2599053231-678728588-3729\n\tAccount Name:\t\ttest\n\tAccount Domain:\t\tUTMSTACK\n\nAttributes:\n\tSAM Account Name:\ttest\n\tDisplay Name:\t\ttest\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\n\tAccount Expires:\t\t\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x11\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t\'Normal Account\' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\n\nAdditional Information:\n\tPrivileges\t\t-', opcode: 'Info', process_id: 604.0, provider_guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}', record_number: '1276349', source_name: 'Microsoft-Windows-Security-Auditing', tags: ['beats_input_codec_plain_applied'], task: 'User Account Management', thread_id: 1284.0}}, es_metadata_id: '84d0088d-b29c-4a27-bb37-2ece8f9e73ed'}]; diff --git a/frontend/src/app/active-directory/shared/behavior/tree-object.behvior.ts b/frontend/src/app/active-directory/shared/behavior/tree-object.behvior.ts index 3c9406de2..cfe1def90 100644 --- a/frontend/src/app/active-directory/shared/behavior/tree-object.behvior.ts +++ b/frontend/src/app/active-directory/shared/behavior/tree-object.behvior.ts @@ -1,7 +1,15 @@ import {Injectable} from '@angular/core'; import {BehaviorSubject} from 'rxjs'; +import {ActiveDirectoryTreeType} from '../types/active-directory-tree.type'; @Injectable({providedIn: 'root'}) export class TreeObjectBehavior { - $objectId: BehaviorSubject = new BehaviorSubject(''); + private user: BehaviorSubject = new BehaviorSubject(null); + userSelected() { + return this.user.asObservable(); + } + + changeUser(user: ActiveDirectoryTreeType) { + this.user.next(user); + } } diff --git a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.html b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.html index 962de108e..eb598a607 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.html +++ b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.html @@ -1,10 +1,18 @@ -
-
+
-
+
+
+ {{ attribute.attributeKey+': ' }} + + {{ attribute.attributeValue ? attribute.attributeValue : '-'}} + +
+
+
+
diff --git a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.scss b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.scss index 9cf9b93bb..f965edb4c 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.scss +++ b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.scss @@ -7,3 +7,7 @@ max-height: calc(100vh - 48px); height: calc(100vh - 48px); } + +.username { + margin-left: 3px; +} diff --git a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.ts b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.ts index 03fe49516..04b65c9dd 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.ts +++ b/frontend/src/app/active-directory/shared/components/active-directory-detail/active-directory-detail.component.ts @@ -10,7 +10,8 @@ import {ActiveDirectoryType} from '../../types/active-directory.type'; styleUrls: ['./active-directory-detail.component.scss'] }) export class AdDetailComponent implements OnInit { - @Input() adInfo: ActiveDirectoryType; + @Input() adInfo: any; + @Input() user: any; formatDateEnum = UtmDateFormatEnum; totalItems: number; page = 1; diff --git a/frontend/src/app/active-directory/shared/components/active-directory-event/active-directory-event.component.ts b/frontend/src/app/active-directory/shared/components/active-directory-event/active-directory-event.component.ts index 2c7f51b29..294f0db6f 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-event/active-directory-event.component.ts +++ b/frontend/src/app/active-directory/shared/components/active-directory-event/active-directory-event.component.ts @@ -19,7 +19,7 @@ export class AdEventComponent implements OnInit { } ngOnInit() { - this.treeObjectBehavior.$objectId.next(this.objectId); + // this.treeObjectBehavior.$objectId.next(this.objectId); } replaceDetail(message: string): string { diff --git a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.html b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.html index 4c688ff11..a73d4ef73 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.html +++ b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.html @@ -1,7 +1,7 @@
-
+
-
    +
    • -   diff --git a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.scss b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.scss index 706ad9c9c..a35e85572 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.scss +++ b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.scss @@ -45,6 +45,7 @@ .node-leaft-name { position: relative; + margin-left: 3px; &:hover { &:after { diff --git a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.ts b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.ts index 086f518c1..ef100a675 100644 --- a/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.ts +++ b/frontend/src/app/active-directory/shared/components/active-directory-tree/active-directory-tree.component.ts @@ -7,7 +7,7 @@ import {ACTIVE_DIRECTORY_SIZE} from '../../const/active-directory-index-const'; import {getTreeIcon, resolveType} from '../../functions/ad-util.function'; import {ActiveDirectoryService} from '../../services/active-directory.service'; import {ActiveDirectoryTreeType} from '../../types/active-directory-tree.type'; -import {ActiveDirectoryType} from '../../types/active-directory.type'; +import {ActiveDirectoryUsers} from '../../types/active-directory-users'; import {arrayToTree, TreeItem} from './shared/functions/array-to-tree.function'; @@ -25,10 +25,12 @@ export class AdTreeComponent implements OnInit { deployed: string[] = []; deployedBeforeSearch: string[] = []; @Output() selected = new EventEmitter(); - itemView: string; + itemView = ''; searching = false; + loading = true; noDataFound: boolean; search: string; + users: ActiveDirectoryUsers[] = []; constructor(private activeDirectoryService: ActiveDirectoryService, private modalService: NgbModal, @@ -36,58 +38,77 @@ export class AdTreeComponent implements OnInit { } ngOnInit() { - // reset objectId - this.treeObjectBehavior.$objectId.next(null); this.getAllInfo(); } - getAllInfo() { +getAllInfo() { const req = { - page: 1, - size: ACTIVE_DIRECTORY_SIZE, - // 'objectClass.specified': true, + sourceId: 1, + page: 0, + size: ACTIVE_DIRECTORY_SIZE }; this.activeDirectoryService.query(req).subscribe(data => { this.searching = false; + this.loading = false; if (data.body) { this.noDataFound = false; this.buildTree(data.body).then(temArr => { this.tree = arrayToTree(temArr, {parentId: 'parentId', id: 'id', dataField: null}); + this.tree = this.tree.filter( t => t.children.length > 0); + console.log('TREE:', this.tree); }); } else { this.noDataFound = true; } + }, error => { + this.loading = false; + this.noDataFound = false; + this.users = []; }); } - buildTree(activeDirectory: ActiveDirectoryType[]): Promise { + buildTree(activeDirectory: ActiveDirectoryUsers[]): Promise { return new Promise(resolve => { - const arr: ActiveDirectoryTreeType[] = []; - for (const ad of activeDirectory) { - // tslint:disable-next-line:variable-name - if (Object(ad).hasOwnProperty('distinguishedName') && ad.distinguishedName) { - const path = ad.distinguishedName.split(',').reverse(); - // tslint:disable-next-line:prefer-for-of - for (let i = 0; i < path.length; i++) { - const nodeName = path[i].substring(3, path[i].length); - const parentName = path[i - 1] ? path[i - 1] - .substring(3, path[i - 1].length) + '-' + (i - 1) : null; - const node = { - parentId: parentName, - name: nodeName, - objectSid: ad.objectSid, - id: nodeName + '-' + i, - type: resolveType(ad.objectClass), - isAdmin: ad.adminCount !== null, - // children: [] - }; - if (arr.findIndex(value => value.parentId === node.parentId && value.id === node.id) === -1) { - arr.push(node); - } - } + activeDirectory.unshift({ + id: 'Users', + sid: null, + createdDate: null, + modifiedDate: null, + source: null, + name: 'Users' + }); + activeDirectory.unshift({ + id: 'Workstations', + sid: null, + createdDate: null, + modifiedDate: null, + source: null, + name: 'Workstations' + }); + const arr: ActiveDirectoryTreeType[] = activeDirectory.reduce((group: any, value: any, currentIndex) => { + const name = value.name; + const existingGroup = group.find((group: any) => (name.startsWith('WS') && group.name === 'Workstations') || (group.name === 'Users')); + if (group.length > 0 && existingGroup) { + group.push({ + parentId: name.startsWith('WS') ? 'Workstations-0' : 'Users-1', + name, + objectSid: value.sid, + id: name + '-' + currentIndex, + type: name.startsWith('WS') ? 'COMPUTER' : 'USER', + indexPattern: value.source.indexPattern + }); + } else { + group.push({ + id: name + '-' + currentIndex, + parentId: null, + name, + type: 'GROUP' + }); } - } + + return group; + }, []); resolve(arr); }); } @@ -150,7 +171,7 @@ export class AdTreeComponent implements OnInit { if (item.children.length === 0) { this.itemView = item.id; this.selected.emit(item.objectSid); - this.treeObjectBehavior.$objectId.next(item.objectSid); + this.treeObjectBehavior.changeUser(item); } } @@ -192,28 +213,18 @@ export class AdTreeComponent implements OnInit { } filterAdByCn(cn: string) { - const req = { - page: 1, - size: ACTIVE_DIRECTORY_SIZE, - // 'cn.contains': cn, - 'displayName.contains': cn - }; - this.activeDirectoryService.query(req).subscribe(data => { - if (data.body) { + const data = this.filterByName(cn); + if (data.length > 0) { this.noDataFound = false; - this.buildTree(data.body).then(temArr => { - this.searching = false; - this.tree = arrayToTree(temArr, - {parentId: 'parentId', id: 'id', dataField: null}); - for (const node of this.tree) { + this.searching = false; + this.tree = data; + for (const node of this.tree) { this.deployAll(node); } - }); } else { this.searching = false; this.noDataFound = true; } - }); } // deploy all children in tree when search @@ -230,6 +241,17 @@ export class AdTreeComponent implements OnInit { } } + filterByName(partialName: string) { + return this.tree.filter(item => { + if ( item.name.toLowerCase().includes(partialName.toLowerCase()) || + (item.children && item.children.some(child => child.name.toLowerCase().includes(partialName.toLowerCase()))) + ) { + return true; + } + return false; + }); + } + findPath(node: TreeItem, nodeName): TreeItem[] { // If current node matches search node, return tail of path result diff --git a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.html b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.html index 294f948d6..abb196140 100644 --- a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.html +++ b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.html @@ -11,34 +11,18 @@
      Events timeline
-
-
- - - -
- -
  • -
@@ -53,6 +37,22 @@
Events timeline
No more events
+
+
+ + + +
+ +
diff --git a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.scss b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.scss index c1c8adc6e..7b077ff6d 100644 --- a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.scss +++ b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.scss @@ -10,7 +10,7 @@ .main { width: 100%; - height: 63vh; + height: 90vh; //max-height: 380px; min-height: 370px; box-sizing: border-box; diff --git a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.ts b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.ts index 159525829..467261ea2 100644 --- a/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.ts +++ b/frontend/src/app/active-directory/shared/components/event-timeline/event-timeline.component.ts @@ -7,6 +7,7 @@ import {ElasticFilterCommonType} from '../../../../shared/types/filter/elastic-f import {TimeFilterType} from '../../../../shared/types/time-filter.type'; import {TreeObjectBehavior} from '../../behavior/tree-object.behvior'; import {WinlogbeatService} from '../../services/winlogbeat.service'; +import {ActiveDirectoryTreeType} from "../../types/active-directory-tree.type"; import {WinlogbeatEventType} from '../../types/winlogbeat-event.type'; @Component({ @@ -18,7 +19,7 @@ export class EventTimelineComponent implements OnInit, AfterViewInit { @Input() events: string[]; @Input() time: TimeFilterType; @Output() eventChange = new EventEmitter(); - objectId: string; + objectId: ActiveDirectoryTreeType; sevenDaysRange: ElasticFilterCommonType = {time: ElasticTimeEnum.DAY, last: 7, label: 'last 7 days'}; items: WinlogbeatEventType[] = []; loadingMore = false; @@ -37,11 +38,11 @@ export class EventTimelineComponent implements OnInit, AfterViewInit { } ngOnInit(): void { - this.treeObjectBehavior.$objectId.subscribe(id => { + this.treeObjectBehavior.userSelected().subscribe(user => { this.eventChange.emit(null); this.itemSelected = ''; - if (this.objectId !== '') { - this.objectId = id; + if (user) { + this.objectId = user; this.items = []; this.page = 1; this.getEvents(); @@ -50,25 +51,28 @@ export class EventTimelineComponent implements OnInit, AfterViewInit { } getEvents() { - const req = { - page: this.page, - size: this.itemsPerPage, - sort: 'timestamp,desc', - 'objectSid.equals': this.objectId, - 'timestamp.greaterThanOrEqual': this.filterTime.timeFrom, - 'timestamp.lessThanOrEqual': this.filterTime.timeTo, - 'eventId.in': this.events ? this.events.toString() : undefined - }; - this.winlogbeatService.query(req).subscribe(response => { - this.loadingMore = false; - this.loading = false; - if (response.body === null || response.body.length === 0) { - this.eventChange.emit(null); - } else { - this.items = response.body; - this.totalItems = Number(response.headers.get('X-Total-Count')); - } - }); + if(this.filterTime){ + const req = { + page: this.page, + size: this.itemsPerPage, + sort: '@timestamp,desc', + sid: this.objectId.objectSid, + indexPattern: this.objectId.indexPattern, + from: this.filterTime.timeFrom, + to: this.filterTime.timeTo, + 'eventId.in': this.events ? this.events.toString() : undefined + }; + this.winlogbeatService.query(req).subscribe(response => { + this.loadingMore = false; + this.loading = false; + if (response.body === null || response.body.length === 0) { + this.eventChange.emit(null); + } else { + this.items = response.body; + this.totalItems = Number(response.headers.get('X-Total-Count')); + } + }); + } } ngAfterViewInit() { diff --git a/frontend/src/app/active-directory/shared/services/winlogbeat.service.ts b/frontend/src/app/active-directory/shared/services/winlogbeat.service.ts index 7e58dcd44..98b263e7d 100644 --- a/frontend/src/app/active-directory/shared/services/winlogbeat.service.ts +++ b/frontend/src/app/active-directory/shared/services/winlogbeat.service.ts @@ -10,7 +10,7 @@ import {WinlogbeatEventType} from '../types/winlogbeat-event.type'; providedIn: 'root' }) export class WinlogbeatService { - public resourceUrl = SERVER_API_URL + 'api/ad/winlogbeat-info-by-filter'; + public resourceUrl = SERVER_API_URL + 'api/winlogbeat-info-by-filter'; constructor(private http: HttpClient) { } diff --git a/frontend/src/app/active-directory/shared/types/active-directory-tree.type.ts b/frontend/src/app/active-directory/shared/types/active-directory-tree.type.ts index b75562785..4de167779 100644 --- a/frontend/src/app/active-directory/shared/types/active-directory-tree.type.ts +++ b/frontend/src/app/active-directory/shared/types/active-directory-tree.type.ts @@ -5,5 +5,6 @@ export class ActiveDirectoryTreeType { isAdmin?: boolean; objectSid?: string; parentId?: string; + indexPattern?: string; children?: ActiveDirectoryTreeType[]; } diff --git a/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts b/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts index d2a81bfdb..f22f45460 100644 --- a/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts +++ b/frontend/src/app/active-directory/shared/types/active-directory-user-source.ts @@ -1,5 +1,5 @@ export class ActiveDirectoryUserSource { - id: string; - indexPattern: string; - indexName: string; - } \ No newline at end of file + id: string; + indexPattern: string; + indexName: string; +} diff --git a/frontend/src/app/active-directory/shared/types/active-directory-users.ts b/frontend/src/app/active-directory/shared/types/active-directory-users.ts index f0cbcf2fa..3bc10718b 100644 --- a/frontend/src/app/active-directory/shared/types/active-directory-users.ts +++ b/frontend/src/app/active-directory/shared/types/active-directory-users.ts @@ -7,4 +7,4 @@ export class ActiveDirectoryUsers { source: ActiveDirectoryUserSource; createdDate: string; modifiedDate: string; -} \ No newline at end of file +} diff --git a/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.html b/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.html index 860ef2e37..635616745 100644 --- a/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.html +++ b/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.html @@ -11,7 +11,7 @@
-
{{adInfo.cn}}
+
{{object.name}}
@@ -39,11 +39,12 @@
{{adInfo.cn}}
- + [user]="object" + [adInfo]="object"> + +
-
+
diff --git a/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.ts b/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.ts index fc83c2170..580496bf0 100644 --- a/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.ts +++ b/frontend/src/app/active-directory/view/active-directory-view/active-directory-view.component.ts @@ -2,12 +2,15 @@ import {AfterViewChecked, ChangeDetectorRef, Component, OnInit} from '@angular/c import {Router} from '@angular/router'; import {NgbModal} from '@ng-bootstrap/ng-bootstrap'; import {ResizeEvent} from 'angular-resizable-element'; +import {Observable} from 'rxjs'; +import {tap} from 'rxjs/operators'; import {AdReportCreateComponent} from '../../reports/ad-report-create/ad-report-create.component'; import {TreeObjectBehavior} from '../../shared/behavior/tree-object.behvior'; import {resolveType} from '../../shared/functions/ad-util.function'; import {ActiveDirectoryService} from '../../shared/services/active-directory.service'; -import {ActiveDirectoryType} from '../../shared/types/active-directory.type'; +import {ActiveDirectoryUsers} from '../../shared/types/active-directory-users'; import {AdTrackerCreateComponent} from '../../tracker/ad-tracker-create/ad-tracker-create.component'; +import {ActiveDirectoryTreeType} from "../../shared/types/active-directory-tree.type"; @Component({ selector: 'app-active-directory-view', @@ -15,13 +18,15 @@ import {AdTrackerCreateComponent} from '../../tracker/ad-tracker-create/ad-track styleUrls: ['./active-directory-view.component.scss'] }) export class AdViewComponent implements OnInit, AfterViewChecked { - object: string; + object: ActiveDirectoryTreeType; view = 'detail'; - adInfo: ActiveDirectoryType; + adInfo: any; + adInfo$: Observable; treeWidth = '290px'; detailWidth: string; pageWidth = window.innerWidth; treeHeight = window.innerHeight - 50; + showPanel = true; constructor(private router: Router, private activeDirectoryService: ActiveDirectoryService, @@ -32,9 +37,12 @@ export class AdViewComponent implements OnInit, AfterViewChecked { ngOnInit() { this.detailWidth = (this.pageWidth - 430) + 'px'; - this.treeObjectBehavior.$objectId.subscribe(id => { - this.object = id; - this.getInfo(); + this.treeObjectBehavior.userSelected().subscribe(object => { + if (object) { + this.object = object; + this.showPanel = false; + // this.adInfo$ = this.getInfo(); + } }); } @@ -42,22 +50,38 @@ export class AdViewComponent implements OnInit, AfterViewChecked { this.cdr.detectChanges(); } - objectSelected($event: string) { + objectSelected($event: ActiveDirectoryTreeType) { this.object = $event; } - getInfo() { + /*getInfo() { const req = { - 'objectSid.equals': this.object, - page: 1, - size: 50 + indexPattern: this.object.source.indexPattern, + top: 10000, + sid: this.object.sid, }; - this.activeDirectoryService.query(req).subscribe(object => { - if (object.body) { - this.adInfo = object.body[0]; - } - }); - } + return this.activeDirectoryService.queryUser(req, `api/utm-auditor-user-sid`) + .pipe( + tap(object => { + if (object.body) { + this.adInfo = this.object; + } + }) + ); + }*/ + + /*getInfo() { + const req = { + 'objectSid.equals': this.object, + page: 1, + size: 50 + }; + this.activeDirectoryService.query(req).subscribe(object => { + if (object.body) { + this.adInfo = object.body[0]; + } + }); + }*/ addToTracking() { const modalAddTracking = this.modalService.open(AdTrackerCreateComponent, {centered: true}); From 94688e8458b6ec2dc955387ad48a05358705a5dd Mon Sep 17 00:00:00 2001 From: "Freddy R. Laffita Almaguer" Date: Fri, 29 Dec 2023 06:34:22 -0500 Subject: [PATCH 09/20] Fixing typo in licence information (#199) --- frontend/src/app/license/utm-license/utm-license.component.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/src/app/license/utm-license/utm-license.component.html b/frontend/src/app/license/utm-license/utm-license.component.html index 1ef5def68..dc1e66608 100644 --- a/frontend/src/app/license/utm-license/utm-license.component.html +++ b/frontend/src/app/license/utm-license/utm-license.component.html @@ -35,7 +35,7 @@

FREE version of this product'" class="span-small-icon">

From 0ccf90ad98a599f314a2396f14d7df1685ca9cc9 Mon Sep 17 00:00:00 2001 From: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:52:27 +0200 Subject: [PATCH 10/20] Bugfix/agent/non printable chars (#195) * Fix issue Redline MISSING * Fix encryption key for master * Update agent-master compatibility table * Replace encryption mode * Bugfix log file too large * Fix linux agent uninstall command --- agent/agent/configuration/config.go | 98 +++++++++++++-- agent/agent/configuration/const.go | 1 + agent/agent/go.mod | 1 + agent/agent/go.sum | 2 + agent/agent/logservice/processor.go | 116 +++++++++++------- agent/agent/redline/redline.go | 2 +- agent/agent/utils/crypt.go | 6 + agent/redline/protector/protector.go | 2 +- agent/versions.json | 6 + .../guide-linux-agent.component.ts | 11 +- 10 files changed, 187 insertions(+), 58 deletions(-) diff --git a/agent/agent/configuration/config.go b/agent/agent/configuration/config.go index 97e819895..38ed72fbf 100644 --- a/agent/agent/configuration/config.go +++ b/agent/agent/configuration/config.go @@ -7,9 +7,14 @@ import ( "sync" aesCrypt "github.com/AtlasInsideCorp/AtlasInsideAES" + "github.com/google/uuid" "github.com/utmstack/UTMStack/agent/agent/utils" ) +type InstallationUUID struct { + UUID string `yaml:"uuid"` +} + type Config struct { Server string `yaml:"server"` AgentID uint `yaml:"agent-id"` @@ -31,12 +36,13 @@ func GetInitialConfig() (*Config, string) { } var ( - cnf Config - confOnce sync.Once + cnf = Config{} + confOnce sync.Once + instuuid = "" + instuuidOnce sync.Once ) func GetCurrentConfig() (*Config, error) { - cnf = Config{} var errR error confOnce.Do(func() { path, err := utils.GetMyPath() @@ -44,6 +50,9 @@ func GetCurrentConfig() (*Config, error) { errR = fmt.Errorf("failed to get current path: %v", err) return } + + uuidExists := utils.CheckIfPathExist(filepath.Join(path, UUIDFileName)) + var encryptConfig Config if err = utils.ReadYAML(filepath.Join(path, "config.yml"), &encryptConfig); err != nil { errR = fmt.Errorf("error reading config file: %v", err) @@ -51,10 +60,25 @@ func GetCurrentConfig() (*Config, error) { } // Get key - key, err := utils.GenerateKey(REPLACE_KEY) - if err != nil { - errR = fmt.Errorf("error geneating key: %v", err) - return + var key []byte + if uuidExists { + uuid, err := GetUUID() + if err != nil { + errR = fmt.Errorf("failed to get uuid: %v", err) + return + } + + key, err = utils.GenerateKeyByUUID(REPLACE_KEY, uuid) + if err != nil { + errR = fmt.Errorf("error geneating key: %v", err) + return + } + } else { + key, err = utils.GenerateKey(REPLACE_KEY) + if err != nil { + errR = fmt.Errorf("error geneating key: %v", err) + return + } } // Decrypt config @@ -69,6 +93,12 @@ func GetCurrentConfig() (*Config, error) { cnf.AgentKey = agentKey cnf.SkipCertValidation = encryptConfig.SkipCertValidation + if !uuidExists { + if err := SaveConfig(&cnf); err != nil { + errR = fmt.Errorf("error writing config file: %v", err) + return + } + } }) if errR != nil { return nil, errR @@ -83,8 +113,13 @@ func SaveConfig(cnf *Config) error { return fmt.Errorf("failed to get current path: %v", err) } + uuid, err := GenerateNewUUID() + if err != nil { + return fmt.Errorf("failed to generate uuid: %v", err) + } + // Get key - key, err := utils.GenerateKey(REPLACE_KEY) + key, err := utils.GenerateKeyByUUID(REPLACE_KEY, uuid) if err != nil { return fmt.Errorf("error geneating key: %v", err) } @@ -108,3 +143,50 @@ func SaveConfig(cnf *Config) error { } return nil } + +func GenerateNewUUID() (string, error) { + uuid, err := uuid.NewRandom() + if err != nil { + return "", fmt.Errorf("failed to generate uuid: %v", err) + } + + InstallationUUID := InstallationUUID{ + UUID: uuid.String(), + } + + path, err := utils.GetMyPath() + if err != nil { + return "", fmt.Errorf("failed to get current path: %v", err) + } + + if err = utils.WriteYAML(filepath.Join(path, UUIDFileName), InstallationUUID); err != nil { + return "", fmt.Errorf("error writing uuid file: %v", err) + } + + return InstallationUUID.UUID, nil +} + +func GetUUID() (string, error) { + var errR error + instuuidOnce.Do(func() { + path, err := utils.GetMyPath() + if err != nil { + errR = fmt.Errorf("failed to get current path: %v", err) + return + } + + var uuid = InstallationUUID{} + if err = utils.ReadYAML(filepath.Join(path, UUIDFileName), &uuid); err != nil { + errR = fmt.Errorf("error reading uuid file: %v", err) + return + } + + instuuid = uuid.UUID + }) + + if errR != nil { + return "", errR + } + + return instuuid, nil +} diff --git a/agent/agent/configuration/const.go b/agent/agent/configuration/const.go index 4a8b34044..5037b372b 100644 --- a/agent/agent/configuration/const.go +++ b/agent/agent/configuration/const.go @@ -26,6 +26,7 @@ const ( WinLockName = "utmstack_windows_collector.lock" RedlineLockName = "utmstack_redline.lock" RedlineServName = "UTMStackRedline" + UUIDFileName = "uuid.yml" ) type LogType string diff --git a/agent/agent/go.mod b/agent/agent/go.mod index 704b1028e..348ad7700 100644 --- a/agent/agent/go.mod +++ b/agent/agent/go.mod @@ -5,6 +5,7 @@ go 1.21.1 require ( github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0 github.com/elastic/go-sysinfo v1.11.1 + github.com/google/uuid v1.3.1 github.com/kardianos/service v1.2.2 github.com/quantfall/holmes v1.3.0 google.golang.org/grpc v1.59.0 diff --git a/agent/agent/go.sum b/agent/agent/go.sum index 918546360..91aa57b40 100644 --- a/agent/agent/go.sum +++ b/agent/agent/go.sum @@ -25,6 +25,8 @@ github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak= diff --git a/agent/agent/logservice/processor.go b/agent/agent/logservice/processor.go index f6831620c..13135ec1c 100644 --- a/agent/agent/logservice/processor.go +++ b/agent/agent/logservice/processor.go @@ -1,6 +1,7 @@ package logservice import ( + "bufio" context "context" "fmt" "os" @@ -24,9 +25,11 @@ type LogPipe struct { } var ( - processor LogProcessor - processorOnce sync.Once - LogQueue = make(chan LogPipe, 1000) + processor LogProcessor + processorOnce sync.Once + LogQueue = make(chan LogPipe, 1000) + MinutesForCleanLog = 10080 // 7 days in minutes(7*24*60) + MinutesForReportLogsCounted = time.Duration(5 * time.Minute) ) func GetLogProcessor() LogProcessor { @@ -41,17 +44,12 @@ func (l *LogProcessor) ProcessLogs(client LogServiceClient, ctx context.Context, reconnectDelay := configuration.InitialReconnectDelay invalidKeyCounter := 0 - path, err := utils.GetMyPath() - if err != nil { - h.FatalError("Failed to get current path: %v", err) - } - - filePath := filepath.Join(path, "logs_process") - utils.CreatePathIfNotExist(filePath) - fileNames := map[string]*os.File{} - defer func() { - for _, file := range fileNames { - file.Close() + logsProcessCounter := map[string]int{} + go func() { + for { + time.Sleep(MinutesForReportLogsCounted) + SaveCountedLogs(h, logsProcessCounter) + logsProcessCounter = map[string]int{} } }() @@ -104,38 +102,8 @@ func (l *LogProcessor) ProcessLogs(client LogServiceClient, ctx context.Context, continue } + logsProcessCounter[newLog.Src] += len(newLog.Logs) invalidKeyCounter = 0 - - fileIsOpen := false - for name := range fileNames { - if name == filepath.Join(filePath, string(newLog.Src)+".txt") { - fileIsOpen = true - } - } - - newFileName := filepath.Join(filePath, string(newLog.Src)+".txt") - if !fileIsOpen { - file, err := os.OpenFile(newFileName, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) - if err != nil { - h.Error("error opening file: %s", err) - time.Sleep(reconnectDelay) - connectionTime = utils.IncrementReconnectTime(connectionTime, reconnectDelay, configuration.MaxConnectionTime) - reconnectDelay = utils.IncrementReconnectDelay(reconnectDelay, configuration.MaxReconnectDelay) - continue - } - fileNames[newFileName] = file - } - - for _, mylog := range newLog.Logs { - _, err = fileNames[newFileName].WriteString(fmt.Sprintf("%s\n", mylog)) - if err != nil { - h.Info("error writing to file: %s\n", err) - time.Sleep(reconnectDelay) - connectionTime = utils.IncrementReconnectTime(connectionTime, reconnectDelay, configuration.MaxConnectionTime) - reconnectDelay = utils.IncrementReconnectDelay(reconnectDelay, configuration.MaxReconnectDelay) - continue - } - } } } @@ -154,3 +122,61 @@ func (l *LogProcessor) ProcessLogsWithHighPriority(msg string, client LogService } return nil } + +func SaveCountedLogs(h *holmes.Logger, logsProcessCounter map[string]int) { + path, err := utils.GetMyPath() + if err != nil { + h.FatalError("Failed to get current path: %v", err) + } + + filePath := filepath.Join(path, "logs_process") + logFile := filepath.Join(filePath, "processed_logs.txt") + utils.CreatePathIfNotExist(filePath) + + file, err := os.OpenFile(logFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666) + if err != nil { + h.Error("error opening processed_logs.txt file: %s", err) + return + } + defer file.Close() + + var firstLogTime time.Time + var firstLine string + scanner := bufio.NewScanner(file) + for scanner.Scan() { + firstLine = scanner.Text() + break + } + + if firstLine != "" { + firstLogTime, err = time.Parse("2006/01/02 15:04:05.9999999 -0700 MST", strings.Split(firstLine, " - ")[0]) + if err != nil { + h.Error("error parsing first log time: %s", err) + return + } + + if !firstLogTime.IsZero() && time.Since(firstLogTime).Minutes() >= float64(MinutesForCleanLog) { + file.Close() + if err := os.Remove(logFile); err != nil { + h.Error("error removing processed_logs.txt file: %s", err) + return + } + file, err = os.OpenFile(logFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666) + if err != nil { + h.Error("error opening processed_logs.txt file: %s", err) + return + } + } + } + + for name, counter := range logsProcessCounter { + if counter > 0 { + _, err = file.WriteString(fmt.Sprintf("%v - %d logs from %s have been processed\n", time.Now().Format("2006/01/02 15:04:05.9999999 -0700 MST"), counter, name)) + if err != nil { + h.Error("error writing to processed_logs.txt file: %s", err) + continue + } + } + } + +} diff --git a/agent/agent/redline/redline.go b/agent/agent/redline/redline.go index 6b9ddb1ae..029a3cc2f 100644 --- a/agent/agent/redline/redline.go +++ b/agent/agent/redline/redline.go @@ -26,7 +26,7 @@ func CheckRedlineService(h *holmes.Logger) { if attempts >= 3 { h.Info("Redline service has been stopped") if err := utils.Execute(filepath.Join(path, bin), path, "send-log", fmt.Sprintf("%s service has been stopped", configuration.RedlineServName)); err != nil { - h.Error("error checking %s: error sending log : %v", err) + h.Error("error checking %s: error sending log : %v", configuration.RedlineServName, err) time.Sleep(time.Second * 5) continue } diff --git a/agent/agent/utils/crypt.go b/agent/agent/utils/crypt.go index dcbace7b2..6abb8a712 100644 --- a/agent/agent/utils/crypt.go +++ b/agent/agent/utils/crypt.go @@ -15,3 +15,9 @@ func GenerateKey(REPALCE_KEY string) ([]byte, error) { base64Key := base64.StdEncoding.EncodeToString(data) return []byte(REPALCE_KEY + base64Key), nil } + +func GenerateKeyByUUID(REPLACE_KEY string, uuid string) ([]byte, error) { + data := []byte(REPLACE_KEY + uuid) + base64Key := base64.StdEncoding.EncodeToString(data) + return []byte(base64Key), nil +} diff --git a/agent/redline/protector/protector.go b/agent/redline/protector/protector.go index 16e2f886d..1148b2db1 100644 --- a/agent/redline/protector/protector.go +++ b/agent/redline/protector/protector.go @@ -26,7 +26,7 @@ func ProtectService(servName, lockName string, h *holmes.Logger) { if attempts >= 3 { h.Info("%s service has been stopped", servName) if err := utils.Execute(filepath.Join(path, bin), path, "send-log", fmt.Sprintf("%s service has been stopped", servName)); err != nil { - h.Error("error checking %s: error sending log : %v", err) + h.Error("error checking %s: error sending log : %v", servName, err) time.Sleep(time.Second * 5) continue } diff --git a/agent/versions.json b/agent/versions.json index 4da226325..f09b479c7 100644 --- a/agent/versions.json +++ b/agent/versions.json @@ -5,6 +5,12 @@ "agent_version": "10.1.1", "updater_version": "10.1.2", "redline_version": "10.1.1" + }, + { + "master_version": "10.2.0", + "agent_version": "10.2.0", + "updater_version": "10.1.2", + "redline_version": "10.1.1" } ] } diff --git a/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts b/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts index c0fc9aa2d..91c73584b 100644 --- a/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts +++ b/frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts @@ -49,8 +49,13 @@ export class GuideLinuxAgentComponent implements OnInit { `/opt/utmstack-linux-agent/utmstack_agent_installer && sudo /opt/utmstack-linux-agent/utmstack_agent_installer install ` + ip + ` ` + this.token + ` yes`; } getUninstallCommand(): string { - return `sudo /opt/utmstack-linux-agent/utmstack_agent_installer uninstall && echo "Removing UTMStack Agent dependencies..." ` + - `&& sleep 10 && sudo rm -rf "/opt/utmstack-linux-agent" && echo "UTMStack Agent dependencies removed successfully."`; + return `sudo /opt/utmstack-linux-agent/utmstack_agent_installer uninstall || true; sudo systemctl stop UTMStackAgent || true; ` + + `sudo systemctl disable UTMStackAgent || true; sudo rm /etc/systemd/system/UTMStackAgent.service || true; sudo systemctl stop UTMStackRedline || true; ` + + `sudo systemctl disable UTMStackRedline || true; sudo rm /etc/systemd/system/UTMStackRedline.service || true; ` + + `sudo systemctl stop UTMStackUpdater || true; sudo systemctl disable UTMStackUpdater || true; ` + + `sudo rm /etc/systemd/system/UTMStackUpdater.service || true; sudo systemctl stop UTMStackModulesLogsCollector || true; ` + + `sudo systemctl disable UTMStackModulesLogsCollector || true; sudo rm /etc/systemd/system/UTMStackModulesLogsCollector.service || true; ` + + `sudo systemctl daemon-reload || true; echo "Removing UTMStack Agent dependencies..." ` + + `&& sleep 10 && sudo rm -rf "/opt/utmstack-linux-agent" && echo "UTMStack Agent dependencies removed successfully."`; } - } From 3fef4e017783077524b8b3714eda2fad6133a2f2 Mon Sep 17 00:00:00 2001 From: "Freddy R. Laffita Almaguer" Date: Tue, 2 Jan 2024 03:28:56 -0500 Subject: [PATCH 11/20] Update privafy filter, add ordering filter support (#203) * Adding support for filter ordering issues (mutate) * Adding support multiple filters in the same pipeline --- ...1_updating_syslog_json_generic_filters.xml | 161 ++++++++++++++++++ .../resources/config/liquibase/master.xml | 2 + filters/generic/generic.conf | 5 +- filters/json/json-input.conf | 8 +- filters/privafy/privafy.conf | 37 ++-- filters/syslog/syslog-generic.conf | 5 +- 6 files changed, 200 insertions(+), 18 deletions(-) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20231229001_updating_syslog_json_generic_filters.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20231229001_updating_syslog_json_generic_filters.xml b/backend/src/main/resources/config/liquibase/changelog/20231229001_updating_syslog_json_generic_filters.xml new file mode 100644 index 000000000..bb4e4b61d --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20231229001_updating_syslog_json_generic_filters.xml @@ -0,0 +1,161 @@ + + + + + + + "message" + terminator => "" +} + +#Looking for datasource generated by an agent and parse original message +if [message]=~/\[utm_stack_agent_ds=(.+)\]-(.+)/ { + grok { + match => { + "message" => [ "\[utm_stack_agent_ds=%{DATA:dataSource}\]-%{GREEDYDATA:original_log_message}" ] + } + } +} +if [original_log_message] { + mutate { + update => { "message" => "%{[original_log_message]}" } + } +} +#......................................................................# +#Generating dataSource and dataType fields required by CurrelationRulesEngine +if ![dataSource] { + mutate { + add_field => { "dataSource" => "%{host}" } + } +} +if ![dataType] { + mutate { + add_field => {"dataType" => "generic"} + } +} +#......................................................................# +#Adding json support +if [message] =~/^\{/ { + json { + source => "message" + } +} + +#Remove unwanted fields if the message not match with conditions + mutate { + remove_field => ["@version","original_log_message","headers"] + } +} +',filter_version='1.0.1' + WHERE id=1521; + +-- Updating Syslog filter + UPDATE utm_logstash_filter + SET logstash_filter='filter { +# Syslog filter, version 1.0.1 + +split { + field => "message" + terminator => "" +} + +#Looking for datasource generated by an agent and parse original message +if [message]=~/\[utm_stack_agent_ds=(.+)\]-(.+)/ { + grok { + match => { + "message" => [ "\[utm_stack_agent_ds=%{DATA:dataSource}\]-%{GREEDYDATA:original_log_message}" ] + } + } +} +if [original_log_message] { + mutate { + update => { "message" => "%{[original_log_message]}" } + } +} +#......................................................................# +#Generating dataSource field required by CurrelationRulesEngine +if ![dataSource] { + mutate { + add_field => { "dataSource" => "%{host}" } + } +} +#......................................................................# +#Generating logx structure +if ![dataType] { + mutate { + add_field => {"dataType" => "syslog"} + rename => ["message", "[logx][syslog][message]"] + } +} +#Remove unwanted fields if the message not match with conditions + mutate { + remove_field => ["@version","original_log_message","headers"] + } +} +',filter_version='1.0.1' + WHERE id=1520; + +-- Updating json input filter + UPDATE utm_logstash_filter + SET logstash_filter='filter { +#Filter version 1.0.2 +#Used to format generic json files + + if [message] { + split { + field => "message" + terminator => "" + } + json { + source => "message" + target => "json_input" + } + + #Create logx structure + mutate { + rename => { "[message]" => "[logx][json_input][message]" } + rename => { "[json_input]" => "[logx][json_input]" } + } + + #Generating dataType and dataSource fields + if ![dataType] { + mutate { + add_field => { "dataType" => "json-input" } + } + } + if ![dataSource] { + if [logx][json_input][dataSource]{ + mutate { + rename => { "[logx][json_input][dataSource]" => "[dataSource]" } + } + } else { + mutate { + add_field => { "dataSource" => "%{host}" } + } + } + } + } + + #Finally remove unused fields + mutate { + remove_field => ["path","@version","host","headers"] + } +} +',filter_version='1.0.2' + WHERE id=1515; + + ]]> + + + diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 94f4689fe..c22d2aebb 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -26,4 +26,6 @@ + + diff --git a/filters/generic/generic.conf b/filters/generic/generic.conf index 3a6d89aa1..6b563e024 100644 --- a/filters/generic/generic.conf +++ b/filters/generic/generic.conf @@ -1,5 +1,5 @@ filter { -# Generic pipeline filter, version 1.0.0 +# Generic pipeline filter, version 1.0.1 # Supports plain logs and simple json logs split { @@ -27,10 +27,11 @@ if ![dataSource] { add_field => { "dataSource" => "%{host}" } } } +if ![dataType] { mutate { add_field => {"dataType" => "generic"} } - +} #......................................................................# #Adding json support if [message] =~/^\{/ { diff --git a/filters/json/json-input.conf b/filters/json/json-input.conf index 7dd4f83b5..a765843dd 100644 --- a/filters/json/json-input.conf +++ b/filters/json/json-input.conf @@ -1,5 +1,5 @@ filter { -#Filter version 1.0.1 +#Filter version 1.0.2 #Used to format generic json files if [message] { @@ -24,14 +24,16 @@ filter { add_field => { "dataType" => "json-input" } } } - if [logx][json_input][dataSource]{ + if ![dataSource] { + if [logx][json_input][dataSource]{ mutate { rename => { "[logx][json_input][dataSource]" => "[dataSource]" } } - } else { + } else { mutate { add_field => { "dataSource" => "%{host}" } } + } } } diff --git a/filters/privafy/privafy.conf b/filters/privafy/privafy.conf index 9ab93255e..a00e70568 100644 --- a/filters/privafy/privafy.conf +++ b/filters/privafy/privafy.conf @@ -1,6 +1,6 @@ filter { -# Privafy filter version 1.1.0 +# Privafy filter version 1.1.1 # Based on (User Doc) https://docs.progress.com/es-ES/bundle/loadmaster-technical-note-common-event-format-cef-logs-ga/page/Common-Event-Format-CEF-Logs.html (December, 2023) # and (User Doc) https://help.deepsecurity.trendmicro.com/20_0/on-premise/event-syslog-message-formats.html (December, 2023) # and example logs provided by user during POC @@ -28,10 +28,20 @@ filter { } } - if ![dataType] { +#......................................................................# +# Creating privafy message field from syslog message + if [logx][syslog][message] { + mutate { + add_field => { "prvf_message" => "%{[logx][syslog][message]}" } + } + } else { + mutate { + add_field => { "prvf_message" => "%{message}" } + } + } #......................................................................# # Privafy Entry point - if [message] and (("CEF:" in [message] or "LEEF:" in [message]) and [message] =~/\|(\w+)?(\s)?Privafy(\s)?(\w+)?\|/ ) { + if [prvf_message] and (("CEF:" in [prvf_message] or "LEEF:" in [prvf_message]) and [prvf_message] =~/\|(\w+)?(\s)?Privafy(\s)?(\w+)?\|/ ) { #......................................................................# #Generating dataSource field required by CurrelationRulesEngine #Checks if exists, if not evaluate to the host variable @@ -42,23 +52,29 @@ filter { } #......................................................................# #Generating dataType field required by CurrelationRulesEngine + if (![dataType]){ mutate { add_field => { "dataType" => "privafy" } } + } else { + mutate { + update => { "dataType" => "privafy" } + } + } #......................................................................# -#If CEF or LEEF formatted log do the parsing of the message mark as undefined syslog format - if ("CEF:" in [message] or "LEEF:" in [message] ) { +#If CEF or LEEF formatted log do the parsing of the prvf_message mark as undefined syslog format + if ("CEF:" in [prvf_message] or "LEEF:" in [prvf_message] ) { #......................................................................# -#Using grok to parse header of the message +#Using grok to parse header of the prvf_message grok { match => { - "message" => [ + "prvf_message" => [ "(%{INT:not_defined})?(\s)?(<%{NUMBER:priority}>)?(%{INT:syslog_version})?((\s)%{GREEDYDATA:syslog_date_host}(\s))?(?(CEF|LEEF)):(\s)?(?(%{INT}\.%{INT}|%{INT}))%{GREEDYDATA:cef_or_leef_msg_all}" ] } } } - if ("CEF:" in [message] ) { + if ("CEF:" in [prvf_message] ) { #......................................................................# #Using grok to parse components of the cef_or_leef_msg_all if [cef_or_leef_msg_all] { @@ -72,7 +88,7 @@ filter { } } } - } else if ("LEEF:" in [message] ) { + } else if ("LEEF:" in [prvf_message] ) { #......................................................................# #Using grok to parse components of the leef_message if [cef_or_leef_msg_all] { @@ -277,12 +293,11 @@ if [kv_field][severity]{ #......................................................................# #Finally, remove unnecessary fields mutate { - remove_field => ["@version","path","tags","type","syslog_version","kv_field", + remove_field => ["@version","path","tags","type","syslog_version","kv_field","prvf_message","[logx][syslog][message]", "not_defined","cef_or_leef_msg_all","cef_or_leef_msg","syslog_date_host","irrelevant","init_msg"] } } # End CEF entrypoint - } #Also, remove unwanted fields if the message not match with conditions mutate { diff --git a/filters/syslog/syslog-generic.conf b/filters/syslog/syslog-generic.conf index b33074ce1..6b25c72ec 100644 --- a/filters/syslog/syslog-generic.conf +++ b/filters/syslog/syslog-generic.conf @@ -1,5 +1,5 @@ filter { -# Syslog filter, version 1.0.0 +# Syslog filter, version 1.0.1 split { field => "message" @@ -28,11 +28,12 @@ if ![dataSource] { } #......................................................................# #Generating logx structure +if ![dataType] { mutate { add_field => {"dataType" => "syslog"} rename => ["message", "[logx][syslog][message]"] } - +} #Remove unwanted fields if the message not match with conditions mutate { remove_field => ["@version","original_log_message","headers"] From fcd7694f70ab619548cbed150aaf4e25d5fce019 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 2 Jan 2024 11:26:58 +0200 Subject: [PATCH 12/20] #170 Fixed select the agent but the list is empty (#196) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: manuel Co-authored-by: Jorge Dieguez Pérez --- .../util/utm-agent-detail/utm-agent-detail.component.html | 6 +++--- .../util/utm-agent-select/utm-agent-select.component.html | 1 - .../utm/util/utm-agent-select/utm-agent-select.component.ts | 4 ++-- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/frontend/src/app/shared/components/utm/util/utm-agent-detail/utm-agent-detail.component.html b/frontend/src/app/shared/components/utm/util/utm-agent-detail/utm-agent-detail.component.html index 6adf3894e..8d6a650ca 100644 --- a/frontend/src/app/shared/components/utm/util/utm-agent-detail/utm-agent-detail.component.html +++ b/frontend/src/app/shared/components/utm/util/utm-agent-detail/utm-agent-detail.component.html @@ -31,20 +31,20 @@
Type:  -
Group Source:  -
Comment:  - +
OS Version:  diff --git a/frontend/src/app/shared/components/utm/util/utm-agent-select/utm-agent-select.component.html b/frontend/src/app/shared/components/utm/util/utm-agent-select/utm-agent-select.component.html index 5eabd7483..365b269af 100644 --- a/frontend/src/app/shared/components/utm/util/utm-agent-select/utm-agent-select.component.html +++ b/frontend/src/app/shared/components/utm/util/utm-agent-select/utm-agent-select.component.html @@ -6,7 +6,6 @@ [virtualScroll]="true" [searchable]="true" [(ngModel)]="agent" - bindValue="id" id="agentSelector" placeholder="Select agent" [ngStyle]="{'min-width':'150px'}"> diff --git a/frontend/src/app/shared/components/utm/util/utm-agent-select/utm-agent-select.component.ts b/frontend/src/app/shared/components/utm/util/utm-agent-select/utm-agent-select.component.ts index cb6e424eb..61b1f4e9f 100644 --- a/frontend/src/app/shared/components/utm/util/utm-agent-select/utm-agent-select.component.ts +++ b/frontend/src/app/shared/components/utm/util/utm-agent-select/utm-agent-select.component.ts @@ -12,7 +12,7 @@ export class UtmAgentSelectComponent implements OnInit { @Output() agentSelect = new EventEmitter(); agents: AgentType[]; agentStatusEnum = AgentStatusEnum; - agent: AgentType; + agent: any; constructor(private utmAgentManagerService: UtmAgentManagerService) { } @@ -42,7 +42,7 @@ export class UtmAgentSelectComponent implements OnInit { selectAgent($event: AgentType | any) { - this.agent = $event; + this.agent = `${$event.hostname} (${$event.os})`; this.agentSelect.emit($event); } } From 0a6b9900e3b1b6e851803994ececb96a3bda56ff Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 2 Jan 2024 11:27:18 +0200 Subject: [PATCH 13/20] #176 Fixed the timeline component does not render correctly in the details of an alert (#194) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: manuel Co-authored-by: Jorge Dieguez Pérez --- .../components/alert-history/alert-history.component.scss | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-history/alert-history.component.scss b/frontend/src/app/data-management/alert-management/shared/components/alert-history/alert-history.component.scss index bbfbc6924..9d8b3da8c 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-history/alert-history.component.scss +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-history/alert-history.component.scss @@ -19,5 +19,6 @@ } .utm_tmtimeline:before { - left: 118px; + left: 160px; + margin-left: 0; } From 3f061404a8aae20256a9a01f99d9bc067b9a0979 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 2 Jan 2024 11:27:34 +0200 Subject: [PATCH 14/20] #183 Fixed tag name not displayed when deleting (#192) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: manuel Co-authored-by: Jorge Dieguez Pérez --- .../alert-tags/alert-tags-management.component.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/src/app/data-management/alert-management/alert-tags/alert-tags-management.component.ts b/frontend/src/app/data-management/alert-management/alert-tags/alert-tags-management.component.ts index 43fa8c8c2..a876366b4 100644 --- a/frontend/src/app/data-management/alert-management/alert-tags/alert-tags-management.component.ts +++ b/frontend/src/app/data-management/alert-management/alert-tags/alert-tags-management.component.ts @@ -65,7 +65,7 @@ export class AlertTagsManagementComponent implements OnInit { openDeleteConfirmation(tag: any) { const deleteModalRef = this.modalService.open(ModalConfirmationComponent, {centered: true}); deleteModalRef.componentInstance.header = 'Confirm delete operation'; - deleteModalRef.componentInstance.message = 'Are you sure that you want to delete the tag: ' + tag.name; + deleteModalRef.componentInstance.message = 'Are you sure that you want to delete the tag: ' + tag.tagName; deleteModalRef.componentInstance.confirmBtnText = 'Delete'; deleteModalRef.componentInstance.confirmBtnIcon = 'icon-database-remove'; deleteModalRef.componentInstance.confirmBtnType = 'delete'; From e9680dd4d28203751a58f584484930b6addb30ae Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 2 Jan 2024 11:27:47 +0200 Subject: [PATCH 15/20] Fix bug #169 Show a message describing that the alert has an inciden (#191) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix bug #169 Show a message describing that the alert has an incident already associated * #182 Fixed modal does not close when creating or associating an incident with an alert --------- Co-authored-by: manuel Co-authored-by: Jorge Dieguez Pérez --- .../alert-apply-incident.component.html | 12 ++-- .../alert-apply-incident.component.ts | 65 ++++++++++++++----- 2 files changed, 53 insertions(+), 24 deletions(-) diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-incident/alert-apply-incident.component.html b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-incident/alert-apply-incident.component.html index a762ace60..24a7ad693 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-incident/alert-apply-incident.component.html +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-incident/alert-apply-incident.component.html @@ -3,9 +3,9 @@ placement="top" container="body" tooltipClass="utm-tooltip-top"> -
-