2024-11-27 15:59:55,815 - INFO - Script run on: 2024-11-27 15:59:55 2024-11-27 15:59:55,815 - INFO - Logging to file: C:\Program Files\Superna\cgi-bin\crowdstrike-dse.log 2024-11-27 15:59:55,818 - INFO - Collecting Windows Event Logs from Data Security Essentials on server localhost... 2024-11-27 15:59:55,818 - INFO - No last processed record file found. Starting fresh. 2024-11-27 15:59:55,818 - INFO - Processing Event - RecordNumber: 16439268, EventID: 24, TimeGenerated: Wed Nov 27 13:36:21 2024, Source: Superna Data Security Essentials BOT Service 2024-11-27 15:59:55,818 - DEBUG - Raw JSON Payload: {"id":"24:0EC5DD26EA7C45F7AAADD8CA63EE9CDE","severity":"WARNING","state":"Comment","files":["C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (9).txt","C:\\newserver\\mynewfolder\\mydata - Copy (9).txt:Zone.Identifier","C:\\newserver\\New folder","C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (13) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (19) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (27) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (37) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (9).txt"],"rowKeys":[],"nes":["WIN-RS8MBDQN5MR"],"user":"S-1-5-21-1675147199-1333658167-3477523002-1117","userName":"adcto1.test\\demouser","shares":[],"detected":"Nov 27, 2024 06:36:21 PM","detectedTime":1732732581000,"firstSignalTimeStamp":1732732581000,"archivedTime":0,"lockedOut":"","lockedOutTime":0,"expiryTime":0,"expiry":"n/a","actions":[{"action":"Comment","dateInLong":1732732581000,"resultState":"WARNING","admin":"","comment":"Result of BOT Actions: Disable User: No action taken, Logoff User: No action taken, Deny Share: No action taken, Execute Cmd: No action taken"}],"possibleActions":["Comment","Disable","Lockout","LogOff","FileBlocked","QuotaLimit","Script"],"signalStrengths":{"badbehavior":496},"predicted":{},"isRoot":false,"monitorOnly":true,"peakMonitor":0,"peakWarning":0,"peakMajor":0,"peakCritical":0,"clientIPs":["172.31.1.45"],"numFiles":58,"isAudit":true,"isRSW":false,"isNFSMonitorMode":false,"isSMBSnapshotEnabled":false,"isFilePolicy":false,"eventSource":"Superna Data Security Essentials BOT Service","displayUserActivity":false,"protocol":"","snapshots":{},"deletedSnapshots":[],"nfsProtocols":[],"isAPIEvent":false,"rswExtensions":[],"extraParams":{}} 2024-11-27 15:59:55,830 - DEBUG - Parsed JSON: { "id": "24:0EC5DD26EA7C45F7AAADD8CA63EE9CDE", "severity": "WARNING", "state": "Comment", "files": [ "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (9).txt", "C:\\newserver\\mynewfolder\\mydata - Copy (9).txt:Zone.Identifier", "C:\\newserver\\New folder", "C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (13) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (19) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (27) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (37) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (9).txt" ], "rowKeys": [], "nes": [ "WIN-RS8MBDQN5MR" ], "user": "S-1-5-21-1675147199-1333658167-3477523002-1117", "userName": "adcto1.test\\demouser", "shares": [], "detected": "Nov 27, 2024 06:36:21 PM", "detectedTime": 1732732581000, "firstSignalTimeStamp": 1732732581000, "archivedTime": 0, "lockedOut": "", "lockedOutTime": 0, "expiryTime": 0, "expiry": "n/a", "actions": [ { "action": "Comment", "dateInLong": 1732732581000, "resultState": "WARNING", "admin": "", "comment": "Result of BOT Actions: Disable User: No action taken, Logoff User: No action taken, Deny Share: No action taken, Execute Cmd: No action taken" } ], "possibleActions": [ "Comment", "Disable", "Lockout", "LogOff", "FileBlocked", "QuotaLimit", "Script" ], "signalStrengths": { "badbehavior": 496 }, "predicted": {}, "isRoot": false, "monitorOnly": true, "peakMonitor": 0, "peakWarning": 0, "peakMajor": 0, "peakCritical": 0, "clientIPs": [ "172.31.1.45" ], "numFiles": 58, "isAudit": true, "isRSW": false, "isNFSMonitorMode": false, "isSMBSnapshotEnabled": false, "isFilePolicy": false, "eventSource": "Superna Data Security Essentials BOT Service", "displayUserActivity": false, "protocol": "", "snapshots": {}, "deletedSnapshots": [], "nfsProtocols": [], "isAPIEvent": false, "rswExtensions": [], "extraParams": {} } 2024-11-27 15:59:55,830 - INFO - Event severity 'WARNING' does not match trigger severities: ['MAJOR', 'CRITICAL']. Skipping. 2024-11-27 15:59:55,830 - INFO - Processing Event - RecordNumber: 16439265, EventID: 17, TimeGenerated: Wed Nov 27 13:08:34 2024, Source: Superna Data Security Essentials BOT Service 2024-11-27 15:59:55,830 - DEBUG - Raw JSON Payload: {"id":"17:EE1D86C8B178485DAD11EBE0C497ECE0","severity":"ERROR","state":"ERROR","files":[],"rowKeys":[],"nes":["WIN-RS8MBDQN5MR"],"user":"","userName":"","shares":[],"detected":"Nov 27, 2024 06:08:34 PM","detectedTime":1732730914000,"firstSignalTimeStamp":1732730914000,"archivedTime":0,"lockedOut":"","lockedOutTime":0,"expiryTime":0,"expiry":"n/a","actions":[{"action":"Comment","dateInLong":1732730914000,"resultState":"ERROR","admin":"","comment":"Could not load all SMTP info from the registry."}],"possibleActions":["Comment","Disable","Lockout","LogOff","FileBlocked","QuotaLimit","Script"],"signalStrengths":{"":0},"predicted":{},"isRoot":false,"monitorOnly":true,"peakMonitor":0,"peakWarning":0,"peakMajor":0,"peakCritical":0,"clientIPs":[],"numFiles":0,"isAudit":false,"isRSW":false,"isNFSMonitorMode":false,"isSMBSnapshotEnabled":false,"isFilePolicy":false,"eventSource":"Superna Data Security Essentials BOT Service","displayUserActivity":false,"protocol":"","snapshots":{},"deletedSnapshots":[],"nfsProtocols":[],"isAPIEvent":false,"rswExtensions":[],"extraParams":{}} 2024-11-27 15:59:55,830 - DEBUG - Parsed JSON: { "id": "17:EE1D86C8B178485DAD11EBE0C497ECE0", "severity": "ERROR", "state": "ERROR", "files": [], "rowKeys": [], "nes": [ "WIN-RS8MBDQN5MR" ], "user": "", "userName": "", "shares": [], "detected": "Nov 27, 2024 06:08:34 PM", "detectedTime": 1732730914000, "firstSignalTimeStamp": 1732730914000, "archivedTime": 0, "lockedOut": "", "lockedOutTime": 0, "expiryTime": 0, "expiry": "n/a", "actions": [ { "action": "Comment", "dateInLong": 1732730914000, "resultState": "ERROR", "admin": "", "comment": "Could not load all SMTP info from the registry." } ], "possibleActions": [ "Comment", "Disable", "Lockout", "LogOff", "FileBlocked", "QuotaLimit", "Script" ], "signalStrengths": { "": 0 }, "predicted": {}, "isRoot": false, "monitorOnly": true, "peakMonitor": 0, "peakWarning": 0, "peakMajor": 0, "peakCritical": 0, "clientIPs": [], "numFiles": 0, "isAudit": false, "isRSW": false, "isNFSMonitorMode": false, "isSMBSnapshotEnabled": false, "isFilePolicy": false, "eventSource": "Superna Data Security Essentials BOT Service", "displayUserActivity": false, "protocol": "", "snapshots": {}, "deletedSnapshots": [], "nfsProtocols": [], "isAPIEvent": false, "rswExtensions": [], "extraParams": {} } 2024-11-27 15:59:55,830 - INFO - Event severity 'ERROR' does not match trigger severities: ['MAJOR', 'CRITICAL']. Skipping. 2024-11-27 15:59:55,836 - INFO - Processing Event - RecordNumber: 16439264, EventID: 17, TimeGenerated: Wed Nov 27 13:08:34 2024, Source: Superna Data Security Essentials BOT Service 2024-11-27 15:59:55,836 - DEBUG - Raw JSON Payload: {"id":"17:A169C7F79C13411F8F390B06E64C4A55","severity":"ERROR","state":"ERROR","files":[],"rowKeys":[],"nes":["WIN-RS8MBDQN5MR"],"user":"","userName":"","shares":[],"detected":"Nov 27, 2024 06:08:34 PM","detectedTime":1732730914000,"firstSignalTimeStamp":1732730914000,"archivedTime":0,"lockedOut":"","lockedOutTime":0,"expiryTime":0,"expiry":"n/a","actions":[{"action":"Comment","dateInLong":1732730914000,"resultState":"ERROR","admin":"","comment":"Could not load all SMTP info from the registry."}],"possibleActions":["Comment","Disable","Lockout","LogOff","FileBlocked","QuotaLimit","Script"],"signalStrengths":{"":0},"predicted":{},"isRoot":false,"monitorOnly":true,"peakMonitor":0,"peakWarning":0,"peakMajor":0,"peakCritical":0,"clientIPs":[],"numFiles":0,"isAudit":false,"isRSW":false,"isNFSMonitorMode":false,"isSMBSnapshotEnabled":false,"isFilePolicy":false,"eventSource":"Superna Data Security Essentials BOT Service","displayUserActivity":false,"protocol":"","snapshots":{},"deletedSnapshots":[],"nfsProtocols":[],"isAPIEvent":false,"rswExtensions":[],"extraParams":{}} 2024-11-27 15:59:55,836 - DEBUG - Parsed JSON: { "id": "17:A169C7F79C13411F8F390B06E64C4A55", "severity": "ERROR", "state": "ERROR", "files": [], "rowKeys": [], "nes": [ "WIN-RS8MBDQN5MR" ], "user": "", "userName": "", "shares": [], "detected": "Nov 27, 2024 06:08:34 PM", "detectedTime": 1732730914000, "firstSignalTimeStamp": 1732730914000, "archivedTime": 0, "lockedOut": "", "lockedOutTime": 0, "expiryTime": 0, "expiry": "n/a", "actions": [ { "action": "Comment", "dateInLong": 1732730914000, "resultState": "ERROR", "admin": "", "comment": "Could not load all SMTP info from the registry." } ], "possibleActions": [ "Comment", "Disable", "Lockout", "LogOff", "FileBlocked", "QuotaLimit", "Script" ], "signalStrengths": { "": 0 }, "predicted": {}, "isRoot": false, "monitorOnly": true, "peakMonitor": 0, "peakWarning": 0, "peakMajor": 0, "peakCritical": 0, "clientIPs": [], "numFiles": 0, "isAudit": false, "isRSW": false, "isNFSMonitorMode": false, "isSMBSnapshotEnabled": false, "isFilePolicy": false, "eventSource": "Superna Data Security Essentials BOT Service", "displayUserActivity": false, "protocol": "", "snapshots": {}, "deletedSnapshots": [], "nfsProtocols": [], "isAPIEvent": false, "rswExtensions": [], "extraParams": {} } 2024-11-27 15:59:55,836 - INFO - Event severity 'ERROR' does not match trigger severities: ['MAJOR', 'CRITICAL']. Skipping. 2024-11-27 15:59:55,836 - DEBUG - No more events to read. 2024-11-27 15:59:55,836 - INFO - Total Extracted Client IPs: 0 - [] 2024-11-27 15:59:55,836 - WARNING - No client IPs found in Windows Event Logs.