metron-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rmerri...@apache.org
Subject [2/3] metron git commit: METRON-1189 Add alert escalation to the Alerts UI (merrimanr) closes apache/metron#762
Date Wed, 27 Sep 2017 17:31:51 GMT
http://git-wip-us.apache.org/repos/asf/metron/blob/cd7257e1/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.data
----------------------------------------------------------------------
diff --git a/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.data b/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.data
new file mode 100644
index 0000000..f75c220
--- /dev/null
+++ b/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.data
@@ -0,0 +1,338 @@
+{"create": { "_id": "dcda4423-75f1-8e14-c567-080962fafc47"}}
+{"enrichments:geo:ip_dst_addr:locID":"5368361","bro_timestamp":1505325572512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"34.0494,-118.2641","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574783","enrichments:geo:ip_dst_addr:dmaCode":"803","enrichmentsplitterbolt:splitter:begin:ts":"1492671568547","enrichmentjoinbolt:joiner:ts":"1492671574101","adapter:geoadapter:begin:ts":"1492671572509","enrichments:geo:ip_dst_addr:latitude":"34.0494","uid":"CD23C83kXKw966hJtc","resp_mime_types":["text/plain"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574780","original_string":"HTTP | id.orig_p:49200 status_code:200 method:POST request_body_len:96 id.resp_p:80 orig_mime_types:[\"text\\/plain\"] uri:/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42 tags:[] uid:CD23C83kXKw966hJtc resp_mime_types:[\"text\\/plain\"] trans_depth:1 orig_fuids:[\"FS7RhoA94CA7tXRH3\"] host:comarksecurity.com status_msg:OK id
 .orig_h:192.168.138.158 response_body_len:996 user_agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671501.0 id.resp_h:72.34.49.86 resp_fuids:[\"F3FAZQ2jVEyeqyiQB7\"]","ip_dst_addr":"72.34.49.86","adapter:hostfromjsonlistadapter:end:ts":"1492671568750","host":"comarksecurity.com","adapter:geoadapter:end:ts":"1492671573840","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574109","enrichments:geo:ip_dst_addr:longitude":"-118.2641","user_agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["F3FAZQ2jVEyeqyiQB7"],"timestamp":1505325572512,"method":"POST","enrichmentsplitterbolt:splitter:end:ts":"1492671568555","request_body_len":96,"enrichments:geo:ip_dst_addr:city":"Los Angeles","enrichments:geo:ip_dst_add
 r:postalCode":"90014","adapter:hostfromjsonlistadapter:begin:ts":"1492671568737","orig_mime_types":["text/plain"],"uri":"/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42","tags":[],"orig_fuids":["FS7RhoA94CA7tXRH3"],"ip_src_port":49200,"threatintelsplitterbolt:splitter:begin:ts":"1492671574109","adapter:threatinteladapter:begin:ts":"1492671574115","status_msg":"OK","guid":"dcda4423-75f1-8e14-c567-080962fafc47","enrichments:geo:ip_dst_addr:country":"US","response_body_len":996}
+{"create": { "_id": "350c0e9f-a9db-e100-871f-833cbe5b29d2"}}
+{"bro_timestamp":1505325573512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574785","enrichmentsplitterbolt:splitter:begin:ts":"1492671568556","enrichmentjoinbolt:joiner:ts":"1492671574102","adapter:geoadapter:begin:ts":"1492671573840","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"Cbhgaw1IVL6NGqHpn2","resp_mime_types":["image/png"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574782","original_string":"HTTP | id.orig_p:49209 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/img/flags/de.png tags:[] uid:Cbhgaw1IVL6NGqHpn2 referrer:http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg resp_mime_types:[\"image\\/png\"] trans_depth:1 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:534 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2
 ; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671501.0 id.resp_h:95.163.121.204 resp_fuids:[\"F4cZLM1Rfj48wYg1Pb\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568750","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574044","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574109","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["F4cZLM1Rfj48wYg1Pb"],"timestamp":1505325573512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568556","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568750","uri":"/img/flags/de.png","tags":[],"referrer":"http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg","ip_src_port":49209,"threatintelsplitte
 rbolt:splitter:begin:ts":"1492671574109","adapter:threatinteladapter:begin:ts":"1492671574780","status_msg":"OK","guid":"350c0e9f-a9db-e100-871f-833cbe5b29d2","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":534}
+{"create": { "_id": "b6fff6b7-9b5f-fe43-986f-dfe99d6b78e0"}}
+{"bro_timestamp":1505325574512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574803","enrichmentsplitterbolt:splitter:begin:ts":"1492671568556","enrichmentjoinbolt:joiner:ts":"1492671574102","adapter:geoadapter:begin:ts":"1492671574045","uid":"CUrRne3iLIxXavQtci","trans_depth":100,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574801","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters/metron_cluster/components/?fields=ServiceComponentInfo/service_name,ServiceComponentInfo/category,ServiceComponentInfo/installed_count,ServiceComponentInfo/started_count,ServiceComponentInfo/init_count,ServiceComponentInfo/install_failed_count,ServiceComponentInfo/unknown_count,ServiceComponentInfo/total_count,ServiceComponentInfo/display_name,host_components/HostRoles/host_name&minimal_response=true&_=1484168699029 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:100
  host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671501.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:end:ts":"1492671568750","host":"node1","adapter:geoadapter:end:ts":"1492671574046","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574109","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325574512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568557","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568750","uri":"/api/v1/clusters/metron_cluster/components/?fields=ServiceComponentInfo/service_name,ServiceComponentInfo/category,ServiceComponentInfo/installed_count,ServiceComponentInfo/started_count,ServiceComponentInfo/init_
 count,ServiceComponentInfo/install_failed_count,ServiceComponentInfo/unknown_count,ServiceComponentInfo/total_count,ServiceComponentInfo/display_name,host_components/HostRoles/host_name&minimal_response=true&_=1484168699029","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574109","adapter:threatinteladapter:begin:ts":"1492671574782","guid":"b6fff6b7-9b5f-fe43-986f-dfe99d6b78e0","response_body_len":0}
+{"create": { "_id": "acf5a641-9cdb-d7ec-c309-6ea316e14fbe"}}
+{"bro_timestamp":1505325575512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574804","enrichmentsplitterbolt:splitter:begin:ts":"1492671568557","enrichmentjoinbolt:joiner:ts":"1492671574105","adapter:geoadapter:begin:ts":"1492671574046","uid":"CUrRne3iLIxXavQtci","trans_depth":201,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574801","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters/metron_cluster/components/?fields=ServiceComponentInfo/service_name,ServiceComponentInfo/category,ServiceComponentInfo/installed_count,ServiceComponentInfo/started_count,ServiceComponentInfo/init_count,ServiceComponentInfo/install_failed_count,ServiceComponentInfo/unknown_count,ServiceComponentInfo/total_count,ServiceComponentInfo/display_name,host_components/HostRoles/host_name&minimal_response=true&_=1484169230174 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:201
  host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671501.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:end:ts":"1492671568750","host":"node1","adapter:geoadapter:end:ts":"1492671574046","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574110","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325575512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568557","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568750","uri":"/api/v1/clusters/metron_cluster/components/?fields=ServiceComponentInfo/service_name,ServiceComponentInfo/category,ServiceComponentInfo/installed_count,ServiceComponentInfo/started_count,ServiceComponentInfo/init_
 count,ServiceComponentInfo/install_failed_count,ServiceComponentInfo/unknown_count,ServiceComponentInfo/total_count,ServiceComponentInfo/display_name,host_components/HostRoles/host_name&minimal_response=true&_=1484169230174","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574110","adapter:threatinteladapter:begin:ts":"1492671574801","guid":"acf5a641-9cdb-d7ec-c309-6ea316e14fbe","response_body_len":0}
+{"create": { "_id": "32ac21dc-2d63-922a-859e-7b885d338edb"}}
+{"bro_timestamp":1505325576512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574804","enrichmentsplitterbolt:splitter:begin:ts":"1492671568557","enrichmentjoinbolt:joiner:ts":"1492671574105","adapter:geoadapter:begin:ts":"1492671574046","uid":"CUrRne3iLIxXavQtci","trans_depth":54,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574801","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters/metron_cluster/services?fields=ServiceInfo/state,ServiceInfo/maintenance_state,components/ServiceComponentInfo/component_name&minimal_response=true&_=1484168537303 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:54 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671501.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121
 ","adapter:hostfromjsonlistadapter:end:ts":"1492671568750","host":"node1","adapter:geoadapter:end:ts":"1492671574046","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574110","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325576512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568557","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568750","uri":"/api/v1/clusters/metron_cluster/services?fields=ServiceInfo/state,ServiceInfo/maintenance_state,components/ServiceComponentInfo/component_name&minimal_response=true&_=1484168537303","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574110","adapter:threatinteladapter:begin:ts":"1492671574801","guid":"32ac21dc-2d63-922a-859e-7b885d338edb","response_body_len":0}
+{"create": { "_id": "07b29c29-9ab0-37dd-31d3-08ff19eaa888"}}
+{"enrichments:geo:ip_dst_addr:locID":"2973783","bro_timestamp":1505325577512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"48.5839,7.7455","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574805","enrichmentsplitterbolt:splitter:begin:ts":"1492671568558","enrichmentjoinbolt:joiner:ts":"1492671574105","adapter:geoadapter:begin:ts":"1492671574046","enrichments:geo:ip_dst_addr:latitude":"48.5839","uid":"CzXaqT1OEPg60SoJ31","trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574802","original_string":"HTTP | id.orig_p:49196 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/?51424ddd486ff06861fceed24e86b329 tags:[] uid:CzXaqT1OEPg60SoJ31 trans_depth:1 host:62.75.195.236 status_msg:OK id.orig_h:192.168.138.158 response_body_len:0 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.
 0) ts:1492671501.0 id.resp_h:62.75.195.236","ip_dst_addr":"62.75.195.236","adapter:hostfromjsonlistadapter:end:ts":"1492671568751","host":"62.75.195.236","adapter:geoadapter:end:ts":"1492671574047","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574110","enrichments:geo:ip_dst_addr:longitude":"7.7455","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","timestamp":1505325577512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568558","request_body_len":0,"enrichments:geo:ip_dst_addr:city":"Strasbourg","enrichments:geo:ip_dst_addr:postalCode":"67100","adapter:hostfromjsonlistadapter:begin:ts":"1492671568750","uri":"/?51424ddd486ff06861fceed24e86b329","tags":[],"ip_src_port":49196,"threatintelsplitterbolt:splitter:begin:ts":"1492671574110","adapter:threatinteladapter:begin:ts":"1492671574801","status_msg":"OK","guid"
 :"07b29c29-9ab0-37dd-31d3-08ff19eaa888","enrichments:geo:ip_dst_addr:country":"FR","response_body_len":0}
+{"create": { "_id": "04a9e4c4-606d-0253-20b4-6e714603c2f2"}}
+{"TTLs":[29],"qclass_name":"C_INTERNET","bro_timestamp":1505325578512,"qtype_name":"A","ip_dst_port":53,"threatinteljoinbolt:joiner:ts":"1492671574806","qtype":1,"rejected":false,"answers":["62.75.195.236"],"enrichmentsplitterbolt:splitter:begin:ts":"1492671568558","enrichmentjoinbolt:joiner:ts":"1492671574109","trans_id":27248,"adapter:geoadapter:begin:ts":"1492671574047","uid":"CWHzfi498ODM7YJg6b","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574804","original_string":"DNS | AA:false TTLs:[29.0] qclass_name:C_INTERNET id.orig_p:65315 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in answers:[\"62.75.195.236\"] trans_id:27248 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CWHzfi498ODM7YJg6b RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671501.0 id.resp_h:192.168.138.2","ip_dst_addr":"192.168.138.2","adapter:hostfromjsonlistadapter:end:ts"
 :"1492671568751","Z":0,"adapter:geoadapter:end:ts":"1492671574048","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574110","qclass":1,"timestamp":1505325578512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568558","query":"ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in","rcode":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","rcode_name":"NOERROR","TC":false,"RA":true,"RD":true,"ip_src_port":65315,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574110","adapter:threatinteladapter:begin:ts":"1492671574802","guid":"04a9e4c4-606d-0253-20b4-6e714603c2f2"}
+{"create": { "_id": "82f8046d-de35-8e8f-3081-bc03b17480dd"}}
+{"qclass_name":"qclass-32769","bro_timestamp":1505325579512,"qtype_name":"PTR","ip_dst_port":5353,"threatinteljoinbolt:joiner:ts":"1492671574807","qtype":12,"rejected":false,"enrichmentsplitterbolt:splitter:begin:ts":"1492671568558","enrichmentjoinbolt:joiner:ts":"1492671574111","trans_id":0,"adapter:geoadapter:begin:ts":"1492671574048","uid":"CgtMqC3lAinR22Xi6c","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574806","original_string":"DNS | AA:false qclass_name:qclass-32769 id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:CgtMqC3lAinR22Xi6c RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:32769 ts:1492671501.0 id.resp_h:224.0.0.251","ip_dst_addr":"224.0.0.251","adapter:hostfromjsonlistadapter:end:ts":"1492671568751","Z":0,"adapter:geoadapter:end:ts":"1492671574048","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574119","qc
 lass":32769,"timestamp":1505325579512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568558","query":"_googlecast._tcp.local","adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","TC":false,"RA":false,"RD":false,"ip_src_port":5353,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574119","adapter:threatinteladapter:begin:ts":"1492671574804","guid":"82f8046d-de35-8e8f-3081-bc03b17480dd"}
+{"create": { "_id": "5c1825f6-75a4-4d5c-9961-f9da3abe3aec"}}
+{"qclass_name":"C_INTERNET","bro_timestamp":1505325580512,"qtype_name":"PTR","ip_dst_port":5353,"threatinteljoinbolt:joiner:ts":"1492671574809","qtype":12,"rejected":false,"enrichmentsplitterbolt:splitter:begin:ts":"1492671568559","enrichmentjoinbolt:joiner:ts":"1492671574111","trans_id":0,"adapter:geoadapter:begin:ts":"1492671574048","uid":"CEuiK04pVuL2Su5Rqg","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574806","original_string":"DNS | AA:false qclass_name:C_INTERNET id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:CEuiK04pVuL2Su5Rqg RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 ts:1492671501.0 id.resp_h:224.0.0.251","ip_dst_addr":"224.0.0.251","adapter:hostfromjsonlistadapter:end:ts":"1492671568751","Z":0,"adapter:geoadapter:end:ts":"1492671574048","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574119","qclass":1,
 "timestamp":1505325580512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568559","query":"_googlecast._tcp.local","adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","TC":false,"RA":false,"RD":false,"ip_src_port":5353,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574119","adapter:threatinteladapter:begin:ts":"1492671574806","guid":"5c1825f6-75a4-4d5c-9961-f9da3abe3aec"}
+{"create": { "_id": "9041285e-94a4-cd90-51f6-4da04a885b53"}}
+{"qclass_name":"C_INTERNET","bro_timestamp":1505325581512,"qtype_name":"PTR","ip_dst_port":5353,"threatinteljoinbolt:joiner:ts":"1492671574809","qtype":12,"rejected":false,"enrichmentsplitterbolt:splitter:begin:ts":"1492671568559","enrichmentjoinbolt:joiner:ts":"1492671574111","trans_id":0,"adapter:geoadapter:begin:ts":"1492671574048","uid":"ChMDrL20pLP4UzCncj","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574806","original_string":"DNS | AA:false qclass_name:C_INTERNET id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:ChMDrL20pLP4UzCncj RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 ts:1492671507.0 id.resp_h:224.0.0.251","ip_dst_addr":"224.0.0.251","adapter:hostfromjsonlistadapter:end:ts":"1492671568751","Z":0,"adapter:geoadapter:end:ts":"1492671574048","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574119","qclass":1,
 "timestamp":1505325581512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568559","query":"_googlecast._tcp.local","adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","TC":false,"RA":false,"RD":false,"ip_src_port":5353,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574119","adapter:threatinteladapter:begin:ts":"1492671574806","guid":"9041285e-94a4-cd90-51f6-4da04a885b53"}
+{"create": { "_id": "9a969c64-b82c-f2c9-7178-cc001cb011a3"}}
+{"enrichments:geo:ip_dst_addr:locID":"5308655","bro_timestamp":1505325582512,"status_code":404,"enrichments:geo:ip_dst_addr:location_point":"33.4499,-112.0712","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574810","enrichments:geo:ip_dst_addr:dmaCode":"753","enrichmentsplitterbolt:splitter:begin:ts":"1492671568561","enrichmentjoinbolt:joiner:ts":"1492671574111","adapter:geoadapter:begin:ts":"1492671574048","enrichments:geo:ip_dst_addr:latitude":"33.4499","uid":"CdUJwG2Df90m0Y7OSi","resp_mime_types":["text/html"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49199 status_code:404 method:POST request_body_len:96 id.resp_p:80 orig_mime_types:[\"text\\/plain\"] uri:/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42 tags:[] uid:CdUJwG2Df90m0Y7OSi resp_mime_types:[\"text\\/html\"] trans_depth:1 orig_fuids:[\"Fh9CoH303MQ3vTRjB\"] host:runlove.us status_msg:Not Found
  id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671507.0 id.resp_h:204.152.254.221 resp_fuids:[\"F9iisA25ZMf02F0vS5\"]","ip_dst_addr":"204.152.254.221","adapter:hostfromjsonlistadapter:end:ts":"1492671568751","host":"runlove.us","adapter:geoadapter:end:ts":"1492671574049","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574119","enrichments:geo:ip_dst_addr:longitude":"-112.0712","user_agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["F9iisA25ZMf02F0vS5"],"timestamp":1505325582512,"method":"POST","enrichmentsplitterbolt:splitter:end:ts":"1492671568561","request_body_len":96,"enrichments:geo:ip_dst_addr:city":"Phoenix","enrichments:geo:ip_dst_addr
 :postalCode":"85004","adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","orig_mime_types":["text/plain"],"uri":"/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42","tags":[],"orig_fuids":["Fh9CoH303MQ3vTRjB"],"ip_src_port":49199,"threatintelsplitterbolt:splitter:begin:ts":"1492671574119","adapter:threatinteladapter:begin:ts":"1492671574806","status_msg":"Not Found","guid":"9a969c64-b82c-f2c9-7178-cc001cb011a3","enrichments:geo:ip_dst_addr:country":"US","response_body_len":357}
+{"create": { "_id": "e50bb873-94b8-e854-2e67-1ee7b77ac927"}}
+{"TTLs":[29],"qclass_name":"C_INTERNET","bro_timestamp":1505325583512,"qtype_name":"A","ip_dst_port":53,"threatinteljoinbolt:joiner:ts":"1492671574810","qtype":1,"rejected":false,"answers":["62.75.195.236"],"enrichmentsplitterbolt:splitter:begin:ts":"1492671568561","enrichmentjoinbolt:joiner:ts":"1492671574111","trans_id":27248,"adapter:geoadapter:begin:ts":"1492671574049","uid":"CTpa5V317MTyEHxIjf","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false TTLs:[29.0] qclass_name:C_INTERNET id.orig_p:65315 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in answers:[\"62.75.195.236\"] trans_id:27248 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CTpa5V317MTyEHxIjf RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671507.0 id.resp_h:192.168.138.2","ip_dst_addr":"192.168.138.2","adapter:hostfromjsonlistadapter:end:ts"
 :"1492671568751","Z":0,"adapter:geoadapter:end:ts":"1492671574049","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574119","qclass":1,"timestamp":1505325583512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568561","query":"ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in","rcode":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","rcode_name":"NOERROR","TC":false,"RA":true,"RD":true,"ip_src_port":65315,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574119","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"e50bb873-94b8-e854-2e67-1ee7b77ac927"}
+{"create": { "_id": "78d8a1bc-de5e-ae2f-e6fd-7118c7316235"}}
+{"bro_timestamp":1505325584512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574810","enrichmentsplitterbolt:splitter:begin:ts":"1492671568561","enrichmentjoinbolt:joiner:ts":"1492671574115","adapter:geoadapter:begin:ts":"1492671574049","uid":"CUrRne3iLIxXavQtci","trans_depth":97,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters?fields=Clusters/provisioning_state&_=1484168694108 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:97 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671507.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:end:ts":"1492671568751","host":"node1","adapter:geoadapter:end:ts":"1492671574
 049","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574120","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325584512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568561","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","uri":"/api/v1/clusters?fields=Clusters/provisioning_state&_=1484168694108","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574120","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"78d8a1bc-de5e-ae2f-e6fd-7118c7316235","response_body_len":0}
+{"create": { "_id": "e71004c5-ea05-020b-dc85-5bc310de7643"}}
+{"TTLs":[13888],"qclass_name":"C_INTERNET","bro_timestamp":1505325585512,"qtype_name":"A","ip_dst_port":53,"threatinteljoinbolt:joiner:ts":"1492671574810","qtype":1,"rejected":false,"answers":["72.34.49.86"],"enrichmentsplitterbolt:splitter:begin:ts":"1492671568566","enrichmentjoinbolt:joiner:ts":"1492671574116","trans_id":41589,"adapter:geoadapter:begin:ts":"1492671574049","uid":"CE6YSn3vJULMx9hAJk","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false TTLs:[13888.0] qclass_name:C_INTERNET id.orig_p:56753 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:comarksecurity.com answers:[\"72.34.49.86\"] trans_id:41589 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CE6YSn3vJULMx9hAJk RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671507.0 id.resp_h:192.168.138.2","ip_dst_addr":"192.168.138.2","adapter:hostfromjsonlistadapter:end:ts":"1492671568751","Z":0,"adapter:geoadapter:end:ts":"1492
 671574049","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574120","qclass":1,"timestamp":1505325585512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568566","query":"comarksecurity.com","rcode":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","rcode_name":"NOERROR","TC":false,"RA":true,"RD":true,"ip_src_port":56753,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574120","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"e71004c5-ea05-020b-dc85-5bc310de7643"}
+{"create": { "_id": "7cd91565-132f-3340-db76-3ade5be54a6e"}}
+{"enrichments:geo:ip_dst_addr:locID":"2973783","bro_timestamp":1505325586512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"48.5839,7.7455","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574810","enrichmentsplitterbolt:splitter:begin:ts":"1492671568566","enrichmentjoinbolt:joiner:ts":"1492671574116","adapter:geoadapter:begin:ts":"1492671574049","enrichments:geo:ip_dst_addr:latitude":"48.5839","uid":"CnsJ3j4qkyHcpNUuZa","trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49196 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/?51424ddd486ff06861fceed24e86b329 tags:[] uid:CnsJ3j4qkyHcpNUuZa trans_depth:1 host:62.75.195.236 status_msg:OK id.orig_h:192.168.138.158 response_body_len:0 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.
 0) ts:1492671507.0 id.resp_h:62.75.195.236","ip_dst_addr":"62.75.195.236","adapter:hostfromjsonlistadapter:end:ts":"1492671568751","host":"62.75.195.236","adapter:geoadapter:end:ts":"1492671574049","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574121","enrichments:geo:ip_dst_addr:longitude":"7.7455","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","timestamp":1505325586512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568571","request_body_len":0,"enrichments:geo:ip_dst_addr:city":"Strasbourg","enrichments:geo:ip_dst_addr:postalCode":"67100","adapter:hostfromjsonlistadapter:begin:ts":"1492671568751","uri":"/?51424ddd486ff06861fceed24e86b329","tags":[],"ip_src_port":49196,"threatintelsplitterbolt:splitter:begin:ts":"1492671574120","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid"
 :"7cd91565-132f-3340-db76-3ade5be54a6e","enrichments:geo:ip_dst_addr:country":"FR","response_body_len":0}
+{"create": { "_id": "3df1ef3e-93b8-c678-3067-64e5d40ed54a"}}
+{"bro_timestamp":1505325587512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568586","enrichmentjoinbolt:joiner:ts":"1492671574116","adapter:geoadapter:begin:ts":"1492671574049","uid":"CUrRne3iLIxXavQtci","trans_depth":41,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters/metron_cluster/components/?fields=ServiceComponentInfo/service_name,ServiceComponentInfo/category,ServiceComponentInfo/installed_count,ServiceComponentInfo/started_count,ServiceComponentInfo/init_count,ServiceComponentInfo/install_failed_count,ServiceComponentInfo/unknown_count,ServiceComponentInfo/total_count,ServiceComponentInfo/display_name,host_components/HostRoles/host_name&minimal_response=true&_=1484168502465 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:41 h
 ost:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671507.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","host":"node1","adapter:geoadapter:end:ts":"1492671574049","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574121","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325587512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568586","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","uri":"/api/v1/clusters/metron_cluster/components/?fields=ServiceComponentInfo/service_name,ServiceComponentInfo/category,ServiceComponentInfo/installed_count,ServiceComponentInfo/started_count,ServiceComponentInfo/init_co
 unt,ServiceComponentInfo/install_failed_count,ServiceComponentInfo/unknown_count,ServiceComponentInfo/total_count,ServiceComponentInfo/display_name,host_components/HostRoles/host_name&minimal_response=true&_=1484168502465","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"3df1ef3e-93b8-c678-3067-64e5d40ed54a","response_body_len":0}
+{"create": { "_id": "9b47e24a-e943-9f28-cd2f-002ca6627943"}}
+{"bro_timestamp":1505325588512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568586","enrichmentjoinbolt:joiner:ts":"1492671574117","adapter:geoadapter:begin:ts":"1492671574050","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CsUjA541poEzvhMfuf","resp_mime_types":["text/html"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49205 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/11iQmfg tags:[] uid:CsUjA541poEzvhMfuf resp_mime_types:[\"text\\/html\"] trans_depth:1 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:3289 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Me
 dia Center PC 6.0) ts:1492671507.0 id.resp_h:95.163.121.204 resp_fuids:[\"FOov1rV6rL28n8qy1\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574121","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FOov1rV6rL28n8qy1"],"timestamp":1505325588512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568586","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","uri":"/11iQmfg","tags":[],"ip_src_port":49205,"threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"9b47e24a-e943-
 9f28-cd2f-002ca6627943","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":3289}
+{"create": { "_id": "f84466fa-f4fe-b38f-2cfe-cac4216ced72"}}
+{"bro_timestamp":1505325589512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568586","enrichmentjoinbolt:joiner:ts":"1492671574117","adapter:geoadapter:begin:ts":"1492671574050","uid":"CUrRne3iLIxXavQtci","trans_depth":211,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/persist/wizard-data?_=1484169260964 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:211 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671507.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","host":"node1","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"19
 2.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574121","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325589512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568587","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","uri":"/api/v1/persist/wizard-data?_=1484169260964","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"f84466fa-f4fe-b38f-2cfe-cac4216ced72","response_body_len":0}
+{"create": { "_id": "5316f324-fd96-2d5c-43ea-4d20ebcfb025"}}
+{"TTLs":[13888],"qclass_name":"C_INTERNET","bro_timestamp":1505325590512,"qtype_name":"A","ip_dst_port":53,"threatinteljoinbolt:joiner:ts":"1492671574811","qtype":1,"rejected":false,"answers":["72.34.49.86"],"enrichmentsplitterbolt:splitter:begin:ts":"1492671568587","enrichmentjoinbolt:joiner:ts":"1492671574118","trans_id":41589,"adapter:geoadapter:begin:ts":"1492671574050","uid":"COWVWoXxyrLnj1cX7","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false TTLs:[13888.0] qclass_name:C_INTERNET id.orig_p:56753 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:comarksecurity.com answers:[\"72.34.49.86\"] trans_id:41589 rcode:0 rcode_name:NOERROR TC:false RA:true uid:COWVWoXxyrLnj1cX7 RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671514.0 id.resp_h:192.168.138.2","ip_dst_addr":"192.168.138.2","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","Z":0,"adapter:geoadapter:end:ts":"149267
 1574050","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574121","qclass":1,"timestamp":1505325590512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568587","query":"comarksecurity.com","rcode":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","rcode_name":"NOERROR","TC":false,"RA":true,"RD":true,"ip_src_port":56753,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"5316f324-fd96-2d5c-43ea-4d20ebcfb025"}
+{"create": { "_id": "4cac5e2c-3fcf-0628-494e-b23deb1ebcc6"}}
+{"bro_timestamp":1505325591512,"status_code":304,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568587","enrichmentjoinbolt:joiner:ts":"1492671574118","adapter:geoadapter:begin:ts":"1492671574050","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CXVtpNU35nZ84YA8","trans_depth":4,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49206 status_code:304 method:GET request_body_len:0 id.resp_p:80 uri:/img/style.css tags:[] uid:CXVtpNU35nZ84YA8 referrer:http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg trans_depth:4 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:Not Modified id.orig_h:192.168.138.158 response_body_len:0 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Med
 ia Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574121","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","timestamp":1505325591512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568587","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","uri":"/img/style.css","tags":[],"referrer":"http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg","ip_src_port":49206,"threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"Not Modified","guid":"4cac5e2c-
 3fcf-0628-494e-b23deb1ebcc6","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":0}
+{"create": { "_id": "71df116d-9985-348a-3b9c-bbe60f1c563e"}}
+{"bro_timestamp":1505325592512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568588","enrichmentjoinbolt:joiner:ts":"1492671574118","adapter:geoadapter:begin:ts":"1492671574050","uid":"CUrRne3iLIxXavQtci","trans_depth":266,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters/metron_cluster/services?fields=ServiceInfo/state,ServiceInfo/maintenance_state,components/ServiceComponentInfo/component_name&minimal_response=true&_=1484169506956 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:266 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671514.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.1
 21","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","host":"node1","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574121","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325592512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568588","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","uri":"/api/v1/clusters/metron_cluster/services?fields=ServiceInfo/state,ServiceInfo/maintenance_state,components/ServiceComponentInfo/component_name&minimal_response=true&_=1484169506956","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"71df116d-9985-348a-3b9c-bbe60f1c563e","response_body_len":0}
+{"create": { "_id": "a651f7c3-1c6e-1260-44bf-7da97d4966c9"}}
+{"enrichments:geo:ip_dst_addr:locID":"5308655","bro_timestamp":1505325593512,"status_code":404,"enrichments:geo:ip_dst_addr:location_point":"33.4499,-112.0712","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichments:geo:ip_dst_addr:dmaCode":"753","enrichmentsplitterbolt:splitter:begin:ts":"1492671568588","enrichmentjoinbolt:joiner:ts":"1492671574118","adapter:geoadapter:begin:ts":"1492671574050","enrichments:geo:ip_dst_addr:latitude":"33.4499","uid":"CY9lhK2A2rSE61rvWi","resp_mime_types":["text/html"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49197 status_code:404 method:POST request_body_len:134 id.resp_p:80 orig_mime_types:[\"text\\/plain\"] uri:/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg tags:[] uid:CY9lhK2A2rSE61rvWi resp_mime_types:[\"text\\/html\"] trans_depth:1 orig_fuids:[\"Fpnco91sWiQHlMIGQ4\"] host:runlove.us status_msg:Not Fou
 nd id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:204.152.254.221 resp_fuids:[\"FiKhLp4qrWGvpiYadj\"]","ip_dst_addr":"204.152.254.221","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","host":"runlove.us","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574121","enrichments:geo:ip_dst_addr:longitude":"-112.0712","user_agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FiKhLp4qrWGvpiYadj"],"timestamp":1505325593512,"method":"POST","enrichmentsplitterbolt:splitter:end:ts":"1492671568588","request_body_len":134,"enrichments:geo:ip_dst_addr:city":"Phoenix","enrichments:geo:ip_dst_a
 ddr:postalCode":"85004","adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","orig_mime_types":["text/plain"],"uri":"/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg","tags":[],"orig_fuids":["Fpnco91sWiQHlMIGQ4"],"ip_src_port":49197,"threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"Not Found","guid":"a651f7c3-1c6e-1260-44bf-7da97d4966c9","enrichments:geo:ip_dst_addr:country":"US","response_body_len":357}
+{"create": { "_id": "eb54c3fa-c1d9-d27b-998b-e6e02719c3b0"}}
+{"bro_timestamp":1505325594512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568588","enrichmentjoinbolt:joiner:ts":"1492671574118","adapter:geoadapter:begin:ts":"1492671574050","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CrRM6qLedsBZ3P0d8","resp_mime_types":["image/x-icon"],"trans_depth":2,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49207 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/favicon.ico tags:[] uid:CrRM6qLedsBZ3P0d8 resp_mime_types:[\"image\\/x-icon\"] trans_depth:2 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:318 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30
 729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 resp_fuids:[\"FlDlsY39iNQUeDK2Dj\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574121","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FlDlsY39iNQUeDK2Dj"],"timestamp":1505325594512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568588","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","uri":"/favicon.ico","tags":[],"ip_src_port":49207,"threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"e
 b54c3fa-c1d9-d27b-998b-e6e02719c3b0","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":318}
+{"create": { "_id": "a67719ca-9367-599e-7306-139a0af82a22"}}
+{"bro_timestamp":1505325595512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568589","enrichmentjoinbolt:joiner:ts":"1492671574118","adapter:geoadapter:begin:ts":"1492671574050","uid":"CUrRne3iLIxXavQtci","trans_depth":72,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/persist/wizard-data?_=1484168577645 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:72 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671514.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","host":"node1","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.
 168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574121","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325595512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568589","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","uri":"/api/v1/persist/wizard-data?_=1484168577645","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574121","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"a67719ca-9367-599e-7306-139a0af82a22","response_body_len":0}
+{"create": { "_id": "ed906df7-27d4-484d-ec74-3a91cc54c2f3"}}
+{"qclass_name":"C_INTERNET","bro_timestamp":1505325596512,"qtype_name":"PTR","ip_dst_port":5353,"threatinteljoinbolt:joiner:ts":"1492671574811","qtype":12,"rejected":false,"enrichmentsplitterbolt:splitter:begin:ts":"1492671568589","enrichmentjoinbolt:joiner:ts":"1492671574120","trans_id":0,"adapter:geoadapter:begin:ts":"1492671574050","uid":"CoifzG3AcwlRprsVWd","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false qclass_name:C_INTERNET id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:CoifzG3AcwlRprsVWd RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 ts:1492671514.0 id.resp_h:224.0.0.251","ip_dst_addr":"224.0.0.251","adapter:hostfromjsonlistadapter:end:ts":"1492671568779","Z":0,"adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574122","qclass":1,
 "timestamp":1505325596512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568589","query":"_googlecast._tcp.local","adapter:hostfromjsonlistadapter:begin:ts":"1492671568779","TC":false,"RA":false,"RD":false,"ip_src_port":5353,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574122","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"ed906df7-27d4-484d-ec74-3a91cc54c2f3"}
+{"create": { "_id": "cace11d0-cd0a-dccb-d8d8-18b1bd7b9499"}}
+{"bro_timestamp":1505325597512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568589","enrichmentjoinbolt:joiner:ts":"1492671574122","adapter:geoadapter:begin:ts":"1492671574050","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"Cm8nbh1mEqDSWqLB61","resp_mime_types":["image/png"],"trans_depth":3,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49210 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/img/button_pay.png tags:[] uid:Cm8nbh1mEqDSWqLB61 referrer:http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg resp_mime_types:[\"image\\/png\"] trans_depth:3 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:727 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLC
 C2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 resp_fuids:[\"F4UU9y2L5THk5eQzNl\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574127","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["F4UU9y2L5THk5eQzNl"],"timestamp":1505325597512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568598","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/img/button_pay.png","tags":[],"referrer":"http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg","ip_src_port":49210,"threatintelspl
 itterbolt:splitter:begin:ts":"1492671574127","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"cace11d0-cd0a-dccb-d8d8-18b1bd7b9499","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":727}
+{"create": { "_id": "219cb2a5-08cf-5953-d776-c483b4a65cfb"}}
+{"bro_timestamp":1505325598512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574811","enrichmentsplitterbolt:splitter:begin:ts":"1492671568598","enrichmentjoinbolt:joiner:ts":"1492671574123","adapter:geoadapter:begin:ts":"1492671574050","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"Cdg2Cf1BnvStDcNm44","resp_mime_types":["image/x-icon"],"trans_depth":2,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49207 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/favicon.ico tags:[] uid:Cdg2Cf1BnvStDcNm44 resp_mime_types:[\"image\\/x-icon\"] trans_depth:2 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:318 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.
 30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 resp_fuids:[\"F0ASzM1opxGAKE6oMe\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574128","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["F0ASzM1opxGAKE6oMe"],"timestamp":1505325598512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568599","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/favicon.ico","tags":[],"ip_src_port":49207,"threatintelsplitterbolt:splitter:begin:ts":"1492671574128","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":
 "219cb2a5-08cf-5953-d776-c483b4a65cfb","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":318}
+{"create": { "_id": "66278ca7-da60-a592-1d07-d376a4b50cc2"}}
+{"bro_timestamp":1505325599512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichmentsplitterbolt:splitter:begin:ts":"1492671568599","enrichmentjoinbolt:joiner:ts":"1492671574123","adapter:geoadapter:begin:ts":"1492671574050","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CFP2Yy2RG2OaIaUyXj","resp_mime_types":["text/html"],"trans_depth":2,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49209 status_code:200 method:POST request_body_len:14 id.resp_p:80 orig_mime_types:[\"text\\/plain\"] uri:/11iQmfg tags:[] uid:CFP2Yy2RG2OaIaUyXj referrer:http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg resp_mime_types:[\"text\\/html\"] trans_depth:2 orig_fuids:[\"F6gXkl3UhcrQFYuUJf\"] host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:14641 user_agent:Mozilla/4.
 0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 resp_fuids:[\"FBkU002WomFd5HE3d6\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574050","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574128","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FBkU002WomFd5HE3d6"],"timestamp":1505325599512,"method":"POST","enrichmentsplitterbolt:splitter:end:ts":"1492671568599","request_body_len":14,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","orig_mime_types":["text/plain"],"uri":"/11iQmfg","tags":[],"referr
 er":"http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg","orig_fuids":["F6gXkl3UhcrQFYuUJf"],"ip_src_port":49209,"threatintelsplitterbolt:splitter:begin:ts":"1492671574128","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"66278ca7-da60-a592-1d07-d376a4b50cc2","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":14641}
+{"create": { "_id": "691dd7e0-5268-43b6-45e9-e8c06d0bbc4c"}}
+{"bro_timestamp":1505325600512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichmentsplitterbolt:splitter:begin:ts":"1492671568599","enrichmentjoinbolt:joiner:ts":"1492671574123","adapter:geoadapter:begin:ts":"1492671574051","uid":"CUrRne3iLIxXavQtci","trans_depth":197,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters/metron_cluster/requests?to=end&page_size=10&fields=Requests&_=1484169211634 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:197 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671521.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"node1","adapter:geo
 adapter:end:ts":"1492671574051","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574128","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325600512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568602","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/api/v1/clusters/metron_cluster/requests?to=end&page_size=10&fields=Requests&_=1484169211634","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574128","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"691dd7e0-5268-43b6-45e9-e8c06d0bbc4c","response_body_len":0}
+{"create": { "_id": "b39dc3ac-dadc-702e-ecff-977d38d77e77"}}
+{"TTLs":[29],"qclass_name":"C_INTERNET","bro_timestamp":1505325601512,"qtype_name":"A","ip_dst_port":53,"threatinteljoinbolt:joiner:ts":"1492671574812","qtype":1,"rejected":false,"answers":["62.75.195.236"],"enrichmentsplitterbolt:splitter:begin:ts":"1492671568603","enrichmentjoinbolt:joiner:ts":"1492671574128","trans_id":62139,"adapter:geoadapter:begin:ts":"1492671574051","uid":"CdZ0AH1QBmDVfSSbR1","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false TTLs:[29.0] qclass_name:C_INTERNET id.orig_p:50683 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in answers:[\"62.75.195.236\"] trans_id:62139 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CdZ0AH1QBmDVfSSbR1 RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671521.0 id.resp_h:192.168.138.2","ip_dst_addr":"192.168.138.2","adapter:hostfromjsonlistadapter:end:ts":
 "1492671568780","Z":0,"adapter:geoadapter:end:ts":"1492671574051","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574130","qclass":1,"timestamp":1505325601512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568603","query":"r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in","rcode":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","rcode_name":"NOERROR","TC":false,"RA":true,"RD":true,"ip_src_port":50683,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574130","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"b39dc3ac-dadc-702e-ecff-977d38d77e77"}
+{"create": { "_id": "afc36901-36b6-845e-6d3c-99d931231ab2"}}
+{"enrichments:geo:ip_dst_addr:locID":"5308655","bro_timestamp":1505325602512,"status_code":404,"enrichments:geo:ip_dst_addr:location_point":"33.4499,-112.0712","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichments:geo:ip_dst_addr:dmaCode":"753","enrichmentsplitterbolt:splitter:begin:ts":"1492671568615","enrichmentjoinbolt:joiner:ts":"1492671574128","adapter:geoadapter:begin:ts":"1492671574051","enrichments:geo:ip_dst_addr:latitude":"33.4499","uid":"CXHN1k3JfGhpbuyb5j","resp_mime_types":["text/html"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49201 status_code:404 method:POST request_body_len:162 id.resp_p:80 orig_mime_types:[\"text\\/plain\"] uri:/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk tags:[] uid:CXHN1k3JfGhpbuyb5j resp_mime_types:[\"text\\/html\"] trans_depth:1 orig_fuids:[\"FbYFa74InGlqw9Ruy7\"] host:runlove.us status_msg:Not Found
  id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671521.0 id.resp_h:204.152.254.221 resp_fuids:[\"F7xVXgXCuqJOzIPo4\"]","ip_dst_addr":"204.152.254.221","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"runlove.us","adapter:geoadapter:end:ts":"1492671574051","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574130","enrichments:geo:ip_dst_addr:longitude":"-112.0712","user_agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["F7xVXgXCuqJOzIPo4"],"timestamp":1505325602512,"method":"POST","enrichmentsplitterbolt:splitter:end:ts":"1492671568616","request_body_len":162,"enrichments:geo:ip_dst_addr:city":"Phoenix","enrichments:geo:ip_dst_addr:
 postalCode":"85004","adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","orig_mime_types":["text/plain"],"uri":"/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk","tags":[],"orig_fuids":["FbYFa74InGlqw9Ruy7"],"ip_src_port":49201,"threatintelsplitterbolt:splitter:begin:ts":"1492671574130","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"Not Found","guid":"afc36901-36b6-845e-6d3c-99d931231ab2","enrichments:geo:ip_dst_addr:country":"US","response_body_len":357}
+{"create": { "_id": "db56b831-e980-b4fb-8894-b99964c1a624"}}
+{"bro_timestamp":1505325603512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichmentsplitterbolt:splitter:begin:ts":"1492671568616","enrichmentjoinbolt:joiner:ts":"1492671574128","adapter:geoadapter:begin:ts":"1492671574051","uid":"CUrRne3iLIxXavQtci","trans_depth":122,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters/metron_cluster?fields=Clusters/health_report,Clusters/total_hosts,alerts_summary_hosts&minimal_response=true&_=1484168786092 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:122 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671521.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:en
 d:ts":"1492671568780","host":"node1","adapter:geoadapter:end:ts":"1492671574051","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574130","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","timestamp":1505325603512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568616","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/api/v1/clusters/metron_cluster?fields=Clusters/health_report,Clusters/total_hosts,alerts_summary_hosts&minimal_response=true&_=1484168786092","tags":[],"referrer":"http://node1:8080/","ip_src_port":50451,"threatintelsplitterbolt:splitter:begin:ts":"1492671574130","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"db56b831-e980-b4fb-8894-b99964c1a624","response_body_len":0}
+{"create": { "_id": "cbae0f03-8fd8-e0ba-7374-2ef56f402108"}}
+{"bro_timestamp":1505325604512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichmentsplitterbolt:splitter:begin:ts":"1492671568616","enrichmentjoinbolt:joiner:ts":"1492671574128","adapter:geoadapter:begin:ts":"1492671574051","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CsHRi01CuOHO3HUHWa","resp_mime_types":["image/png"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49208 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764 tags:[] uid:CsHRi01CuOHO3HUHWa referrer:http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg resp_mime_types:[\"image\\/png\"] trans_depth:1 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:1823 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Wi
 ndows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671521.0 id.resp_h:95.163.121.204 resp_fuids:[\"FYBfM7ON3Ts49il0b\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574051","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574130","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FYBfM7ON3Ts49il0b"],"timestamp":1505325604512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568616","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764","tags":[],"referrer":"http://7oqns
 nzwwnm6zb7y.gigapaysun.com/11iQmfg","ip_src_port":49208,"threatintelsplitterbolt:splitter:begin:ts":"1492671574130","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"cbae0f03-8fd8-e0ba-7374-2ef56f402108","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":1823}
+{"create": { "_id": "526b481a-d778-3939-5606-71b55c3d6459"}}
+{"TTLs":[13888],"qclass_name":"C_INTERNET","bro_timestamp":1505325605512,"qtype_name":"A","ip_dst_port":53,"threatinteljoinbolt:joiner:ts":"1492671574812","qtype":1,"rejected":false,"answers":["72.34.49.86"],"enrichmentsplitterbolt:splitter:begin:ts":"1492671568617","enrichmentjoinbolt:joiner:ts":"1492671574129","trans_id":41589,"adapter:geoadapter:begin:ts":"1492671574051","uid":"C2aVCXZ8ZwWURmVNa","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false TTLs:[13888.0] qclass_name:C_INTERNET id.orig_p:56753 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:comarksecurity.com answers:[\"72.34.49.86\"] trans_id:41589 rcode:0 rcode_name:NOERROR TC:false RA:true uid:C2aVCXZ8ZwWURmVNa RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671521.0 id.resp_h:192.168.138.2","ip_dst_addr":"192.168.138.2","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","Z":0,"adapter:geoadapter:end:ts":"149267
 1574051","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574132","qclass":1,"timestamp":1505325605512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568617","query":"comarksecurity.com","rcode":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","rcode_name":"NOERROR","TC":false,"RA":true,"RD":true,"ip_src_port":56753,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"526b481a-d778-3939-5606-71b55c3d6459"}
+{"create": { "_id": "c894bbcf-3195-0708-aebe-0574cf0cc1fe"}}
+{"qclass_name":"C_INTERNET","bro_timestamp":1505325606512,"qtype_name":"PTR","ip_dst_port":5353,"threatinteljoinbolt:joiner:ts":"1492671574812","qtype":12,"rejected":false,"enrichmentsplitterbolt:splitter:begin:ts":"1492671568617","enrichmentjoinbolt:joiner:ts":"1492671574129","trans_id":0,"adapter:geoadapter:begin:ts":"1492671574051","uid":"CWyFyi3pl5qWTuUWSh","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false qclass_name:C_INTERNET id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:CWyFyi3pl5qWTuUWSh RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 ts:1492671521.0 id.resp_h:224.0.0.251","ip_dst_addr":"224.0.0.251","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","Z":0,"adapter:geoadapter:end:ts":"1492671574051","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574132","qclass":1,
 "timestamp":1505325606512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568617","query":"_googlecast._tcp.local","adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","TC":false,"RA":false,"RD":false,"ip_src_port":5353,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"c894bbcf-3195-0708-aebe-0574cf0cc1fe"}
+{"create": { "_id": "0454b31e-ef39-4e6e-200e-be0a711a36e7"}}
+{"bro_timestamp":1505325607512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichmentsplitterbolt:splitter:begin:ts":"1492671568618","enrichmentjoinbolt:joiner:ts":"1492671574129","adapter:geoadapter:begin:ts":"1492671574051","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CsHRi01CuOHO3HUHWa","resp_mime_types":["image/png"],"trans_depth":2,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49208 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/img/rb.png tags:[] uid:CsHRi01CuOHO3HUHWa referrer:http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg resp_mime_types:[\"image\\/png\"] trans_depth:2 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:237 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET
  CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671521.0 id.resp_h:95.163.121.204 resp_fuids:[\"Fd2T5m1B2GH6AR453i\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574132","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["Fd2T5m1B2GH6AR453i"],"timestamp":1505325607512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568618","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/img/rb.png","tags":[],"referrer":"http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg","ip_src_port":49208,"threatintelsplitterbolt:splitt
 er:begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"0454b31e-ef39-4e6e-200e-be0a711a36e7","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":237}
+{"create": { "_id": "838bd51c-18f2-5d98-bd08-27acc70f0b50"}}
+{"bro_timestamp":1505325608512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichmentsplitterbolt:splitter:begin:ts":"1492671568618","enrichmentjoinbolt:joiner:ts":"1492671574129","adapter:geoadapter:begin:ts":"1492671574052","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CNNAEP790j2AIKc26","resp_mime_types":["image/png"],"trans_depth":2,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49208 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/img/rb.png tags:[] uid:CNNAEP790j2AIKc26 referrer:http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg resp_mime_types:[\"image\\/png\"] trans_depth:2 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:237 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET C
 LR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671521.0 id.resp_h:95.163.121.204 resp_fuids:[\"FfhCkD2xQGeXcAX3ke\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574132","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FfhCkD2xQGeXcAX3ke"],"timestamp":1505325608512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568618","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/img/rb.png","tags":[],"referrer":"http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg","ip_src_port":49208,"threatintelsplitterbolt:splitter
 :begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"838bd51c-18f2-5d98-bd08-27acc70f0b50","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":237}
+{"create": { "_id": "ffe41918-3e4f-29e7-f962-0ae625b8de9b"}}
+{"bro_timestamp":1505325609512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichmentsplitterbolt:splitter:begin:ts":"1492671568619","enrichmentjoinbolt:joiner:ts":"1492671574129","adapter:geoadapter:begin:ts":"1492671574052","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CzC9H918QP4fyqqRr3","resp_mime_types":["image/x-icon"],"trans_depth":2,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49207 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/favicon.ico tags:[] uid:CzC9H918QP4fyqqRr3 resp_mime_types:[\"image\\/x-icon\"] trans_depth:2 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:318 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.
 30729; Media Center PC 6.0) ts:1492671521.0 id.resp_h:95.163.121.204 resp_fuids:[\"FwQvsb2InGc8pVx8ol\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574132","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FwQvsb2InGc8pVx8ol"],"timestamp":1505325609512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568619","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/favicon.ico","tags":[],"ip_src_port":49207,"threatintelsplitterbolt:splitter:begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":
 "ffe41918-3e4f-29e7-f962-0ae625b8de9b","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":318}
+{"create": { "_id": "656581d0-dae9-f228-1135-b6f5a1e3ea1a"}}
+{"bro_timestamp":1505325610512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574812","enrichmentsplitterbolt:splitter:begin:ts":"1492671568619","enrichmentjoinbolt:joiner:ts":"1492671574129","adapter:geoadapter:begin:ts":"1492671574052","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"CvuIYi4rfagsTptajc","resp_mime_types":["text/html"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49205 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/11iQmfg tags:[] uid:CvuIYi4rfagsTptajc resp_mime_types:[\"text\\/html\"] trans_depth:1 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:3289 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Me
 dia Center PC 6.0) ts:1492671526.0 id.resp_h:95.163.121.204 resp_fuids:[\"FY7vSY2ucYut55IgRa\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574132","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FY7vSY2ucYut55IgRa"],"timestamp":1505325610512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568619","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/11iQmfg","tags":[],"ip_src_port":49205,"threatintelsplitterbolt:splitter:begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"656581d0-dae
 9-f228-1135-b6f5a1e3ea1a","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":3289}
+{"create": { "_id": "4bd5a170-e162-bfff-343b-88eceecc5d67"}}
+{"bro_timestamp":1505325611512,"status_code":200,"enrichments:geo:ip_dst_addr:location_point":"55.7386,37.6068","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574813","enrichmentsplitterbolt:splitter:begin:ts":"1492671568620","enrichmentjoinbolt:joiner:ts":"1492671574129","adapter:geoadapter:begin:ts":"1492671574052","enrichments:geo:ip_dst_addr:latitude":"55.7386","uid":"C0XtwFSGVX0paqsq9","resp_mime_types":["text/html"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"HTTP | id.orig_p:49205 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:/11iQmfg tags:[] uid:C0XtwFSGVX0paqsq9 resp_mime_types:[\"text\\/html\"] trans_depth:1 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:3289 user_agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Medi
 a Center PC 6.0) ts:1492671526.0 id.resp_h:95.163.121.204 resp_fuids:[\"Fmv6Ap2EAcThJKped6\"]","ip_dst_addr":"95.163.121.204","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"7oqnsnzwwnm6zb7y.gigapaysun.com","adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574132","enrichments:geo:ip_dst_addr:longitude":"37.6068","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["Fmv6Ap2EAcThJKped6"],"timestamp":1505325611512,"method":"GET","enrichmentsplitterbolt:splitter:end:ts":"1492671568620","request_body_len":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","uri":"/11iQmfg","tags":[],"ip_src_port":49205,"threatintelsplitterbolt:splitter:begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"OK","guid":"4bd5a170-e162-
 bfff-343b-88eceecc5d67","enrichments:geo:ip_dst_addr:country":"RU","response_body_len":3289}
+{"create": { "_id": "ec4b176b-8819-e062-cede-06caa9388021"}}
+{"TTLs":[29],"qclass_name":"C_INTERNET","bro_timestamp":1505325612512,"qtype_name":"A","ip_dst_port":53,"threatinteljoinbolt:joiner:ts":"1492671574813","qtype":1,"rejected":false,"answers":["62.75.195.236"],"enrichmentsplitterbolt:splitter:begin:ts":"1492671568620","enrichmentjoinbolt:joiner:ts":"1492671574129","trans_id":62139,"adapter:geoadapter:begin:ts":"1492671574052","uid":"CDl1jg1lEITOJqfIa1","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false TTLs:[29.0] qclass_name:C_INTERNET id.orig_p:50683 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in answers:[\"62.75.195.236\"] trans_id:62139 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CDl1jg1lEITOJqfIa1 RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671526.0 id.resp_h:192.168.138.2","ip_dst_addr":"192.168.138.2","adapter:hostfromjsonlistadapter:end:ts":
 "1492671568780","Z":0,"adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574132","qclass":1,"timestamp":1505325612512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568620","query":"r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in","rcode":0,"adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","rcode_name":"NOERROR","TC":false,"RA":true,"RD":true,"ip_src_port":50683,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"ec4b176b-8819-e062-cede-06caa9388021"}
+{"create": { "_id": "e63ff7ae-d767-84dc-ef6c-98cddbe0c0b3"}}
+{"qclass_name":"C_INTERNET","bro_timestamp":1505325613512,"qtype_name":"PTR","ip_dst_port":5353,"threatinteljoinbolt:joiner:ts":"1492671574813","qtype":12,"rejected":false,"enrichmentsplitterbolt:splitter:begin:ts":"1492671568621","enrichmentjoinbolt:joiner:ts":"1492671574130","trans_id":0,"adapter:geoadapter:begin:ts":"1492671574052","uid":"CSpFkT2sFGZoEEZ3gi","protocol":"dns","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574808","original_string":"DNS | AA:false qclass_name:C_INTERNET id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:CSpFkT2sFGZoEEZ3gi RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 ts:1492671526.0 id.resp_h:224.0.0.251","ip_dst_addr":"224.0.0.251","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","Z":0,"adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574132","qclass":1,
 "timestamp":1505325613512,"AA":false,"enrichmentsplitterbolt:splitter:end:ts":"1492671568621","query":"_googlecast._tcp.local","adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","TC":false,"RA":false,"RD":false,"ip_src_port":5353,"proto":"udp","threatintelsplitterbolt:splitter:begin:ts":"1492671574132","adapter:threatinteladapter:begin:ts":"1492671574808","guid":"e63ff7ae-d767-84dc-ef6c-98cddbe0c0b3"}
+{"create": { "_id": "d860ac35-13eb-829e-3bd0-77f9e282d571"}}
+{"enrichments:geo:ip_dst_addr:locID":"5308655","bro_timestamp":1505325614512,"status_code":404,"enrichments:geo:ip_dst_addr:location_point":"33.4499,-112.0712","ip_dst_port":80,"threatinteljoinbolt:joiner:ts":"1492671574813","enrichments:geo:ip_dst_addr:dmaCode":"753","enrichmentsplitterbolt:splitter:begin:ts":"1492671568621","enrichmentjoinbolt:joiner:ts":"1492671574132","adapter:geoadapter:begin:ts":"1492671574052","enrichments:geo:ip_dst_addr:latitude":"33.4499","uid":"COtvV93ruzjPB3wjJj","resp_mime_types":["text/html"],"trans_depth":1,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574809","original_string":"HTTP | id.orig_p:49203 status_code:404 method:POST request_body_len:110 id.resp_p:80 orig_mime_types:[\"text\\/plain\"] uri:/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9 tags:[] uid:COtvV93ruzjPB3wjJj resp_mime_types:[\"text\\/html\"] trans_depth:1 orig_fuids:[\"FzOilF3t3TxwUn9Jhj\"] host:runlove.us status_msg:Not Found
  id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671526.0 id.resp_h:204.152.254.221 resp_fuids:[\"FuoApu1vpznnqXsKCa\"]","ip_dst_addr":"204.152.254.221","adapter:hostfromjsonlistadapter:end:ts":"1492671568780","host":"runlove.us","adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.138.158","threatintelsplitterbolt:splitter:end:ts":"1492671574134","enrichments:geo:ip_dst_addr:longitude":"-112.0712","user_agent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","resp_fuids":["FuoApu1vpznnqXsKCa"],"timestamp":1505325614512,"method":"POST","enrichmentsplitterbolt:splitter:end:ts":"1492671568621","request_body_len":110,"enrichments:geo:ip_dst_addr:city":"Phoenix","enrichments:geo:ip_dst_add
 r:postalCode":"85004","adapter:hostfromjsonlistadapter:begin:ts":"1492671568780","orig_mime_types":["text/plain"],"uri":"/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9","tags":[],"orig_fuids":["FzOilF3t3TxwUn9Jhj"],"ip_src_port":49203,"threatintelsplitterbolt:splitter:begin:ts":"1492671574134","adapter:threatinteladapter:begin:ts":"1492671574808","status_msg":"Not Found","guid":"d860ac35-13eb-829e-3bd0-77f9e282d571","enrichments:geo:ip_dst_addr:country":"US","response_body_len":357}
+{"create": { "_id": "8635b11e-44c6-f73a-879a-1fed7f7fb74a"}}
+{"bro_timestamp":1505325615512,"ip_dst_port":8080,"threatinteljoinbolt:joiner:ts":"1492671574813","enrichmentsplitterbolt:splitter:begin:ts":"1492671568622","enrichmentjoinbolt:joiner:ts":"1492671574132","adapter:geoadapter:begin:ts":"1492671574052","uid":"CUrRne3iLIxXavQtci","trans_depth":100,"protocol":"http","source:type":"alerts_ui_e2e","adapter:threatinteladapter:end:ts":"1492671574809","original_string":"HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:/api/v1/clusters/metron_cluster/components/?fields=ServiceComponentInfo/service_name,ServiceComponentInfo/category,ServiceComponentInfo/installed_count,ServiceComponentInfo/started_count,ServiceComponentInfo/init_count,ServiceComponentInfo/install_failed_count,ServiceComponentInfo/unknown_count,ServiceComponentInfo/total_count,ServiceComponentInfo/display_name,host_components/HostRoles/host_name&minimal_response=true&_=1484168699029 tags:[] uid:CUrRne3iLIxXavQtci referrer:http://node1:8080/ trans_depth:100
  host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 ts:1492671526.0 id.resp_h:192.168.66.121","ip_dst_addr":"192.168.66.121","adapter:hostfromjsonlistadapter:end:ts":"1492671568781","host":"node1","adapter:geoadapter:end:ts":"1492671574052","ip_src_addr":"192.168.66.1","threatintelsplitterbolt:splitter:end:ts":"1492671574134","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36","tim

<TRUNCATED>

Mime
View raw message