2024-11-28 14:07:42,976 - INFO - Script run on: 2024-11-28 14:07:42 2024-11-28 14:07:42,976 - INFO - Logging to file: C:\Program Files\Superna\cgi-bin\splunk-dse.log 2024-11-28 14:07:42,976 - INFO - Collecting Windows Event Logs from Data Security Essentials on server localhost... 2024-11-28 14:07:42,991 - INFO - No last processed record file found. Starting fresh. 2024-11-28 14:07:42,991 - INFO - Processing Event - RecordNumber: 16439291, EventID: 235, TimeGenerated: Wed Nov 27 21:40:46 2024, Source: Superna Data Security Policy Engine 2024-11-28 14:07:42,991 - DEBUG - Raw JSON Payload: {"id":"235:842ABBE616514C789365E6A60263037C","severity":"INFO","state":"INFO","files":[],"rowKeys":[],"nes":["WIN-RS8MBDQN5MR"],"user":"","userName":"","shares":[],"detected":"Nov 28, 2024 02:40:46 AM","detectedTime":1732761646000,"firstSignalTimeStamp":1732761646000,"archivedTime":0,"lockedOut":"","lockedOutTime":0,"expiryTime":0,"expiry":"n/a","actions":[{"action":"Comment","dateInLong":1732761646000,"resultState":"INFO","admin":"","comment":"CMaintenanceThrd::DoRwExtensionsMaintenance(): No new extensions found to import."}],"possibleActions":["Comment","Disable","Lockout","LogOff","FileBlocked","QuotaLimit","Script"],"signalStrengths":{"":0},"predicted":{},"isRoot":false,"monitorOnly":true,"peakMonitor":0,"peakWarning":0,"peakMajor":0,"peakCritical":0,"clientIPs":[],"numFiles":0,"isAudit":false,"isRSW":false,"isNFSMonitorMode":false,"isSMBSnapshotEnabled":false,"isFilePolicy":false,"eventSource":"Superna Data Security Policy Engine","displayUserActivity":false,"protocol":"","snapshots":{},"deletedSnapshots":[],"nfsProtocols":[],"isAPIEvent":false,"rswExtensions":[],"extraParams":{}} 2024-11-28 14:07:42,991 - DEBUG - Parsed JSON: { "id": "235:842ABBE616514C789365E6A60263037C", "severity": "INFO", "state": "INFO", "files": [], "rowKeys": [], "nes": [ "WIN-RS8MBDQN5MR" ], "user": "", "userName": "", "shares": [], "detected": "Nov 28, 2024 02:40:46 AM", "detectedTime": 1732761646000, "firstSignalTimeStamp": 1732761646000, "archivedTime": 0, "lockedOut": "", "lockedOutTime": 0, "expiryTime": 0, "expiry": "n/a", "actions": [ { "action": "Comment", "dateInLong": 1732761646000, "resultState": "INFO", "admin": "", "comment": "CMaintenanceThrd::DoRwExtensionsMaintenance(): No new extensions found to import." } ], "possibleActions": [ "Comment", "Disable", "Lockout", "LogOff", "FileBlocked", "QuotaLimit", "Script" ], "signalStrengths": { "": 0 }, "predicted": {}, "isRoot": false, "monitorOnly": true, "peakMonitor": 0, "peakWarning": 0, "peakMajor": 0, "peakCritical": 0, "clientIPs": [], "numFiles": 0, "isAudit": false, "isRSW": false, "isNFSMonitorMode": false, "isSMBSnapshotEnabled": false, "isFilePolicy": false, "eventSource": "Superna Data Security Policy Engine", "displayUserActivity": false, "protocol": "", "snapshots": {}, "deletedSnapshots": [], "nfsProtocols": [], "isAPIEvent": false, "rswExtensions": [], "extraParams": {} } 2024-11-28 14:07:42,991 - INFO - Event severity 'INFO' does not match trigger severities: ['MAJOR', 'CRITICAL', 'WARNING']. Skipping. 2024-11-28 14:07:42,991 - INFO - Processing Event - RecordNumber: 16439290, EventID: 235, TimeGenerated: Wed Nov 27 21:40:46 2024, Source: Superna Data Security Policy Engine 2024-11-28 14:07:42,991 - DEBUG - Raw JSON Payload: {"id":"235:6670C1CE2E6D43D4A42FCED7E0B4D70F","severity":"INFO","state":"INFO","files":[],"rowKeys":[],"nes":["WIN-RS8MBDQN5MR"],"user":"","userName":"","shares":[],"detected":"Nov 28, 2024 02:40:46 AM","detectedTime":1732761646000,"firstSignalTimeStamp":1732761646000,"archivedTime":0,"lockedOut":"","lockedOutTime":0,"expiryTime":0,"expiry":"n/a","actions":[{"action":"Comment","dateInLong":1732761646000,"resultState":"INFO","admin":"","comment":"CMaintenanceThrd::DoRwExtensionsMaintenance(): Loaded from web. Extension count: 5600"}],"possibleActions":["Comment","Disable","Lockout","LogOff","FileBlocked","QuotaLimit","Script"],"signalStrengths":{"":0},"predicted":{},"isRoot":false,"monitorOnly":true,"peakMonitor":0,"peakWarning":0,"peakMajor":0,"peakCritical":0,"clientIPs":[],"numFiles":0,"isAudit":false,"isRSW":false,"isNFSMonitorMode":false,"isSMBSnapshotEnabled":false,"isFilePolicy":false,"eventSource":"Superna Data Security Policy Engine","displayUserActivity":false,"protocol":"","snapshots":{},"deletedSnapshots":[],"nfsProtocols":[],"isAPIEvent":false,"rswExtensions":[],"extraParams":{}} 2024-11-28 14:07:42,991 - DEBUG - Parsed JSON: { "id": "235:6670C1CE2E6D43D4A42FCED7E0B4D70F", "severity": "INFO", "state": "INFO", "files": [], "rowKeys": [], "nes": [ "WIN-RS8MBDQN5MR" ], "user": "", "userName": "", "shares": [], "detected": "Nov 28, 2024 02:40:46 AM", "detectedTime": 1732761646000, "firstSignalTimeStamp": 1732761646000, "archivedTime": 0, "lockedOut": "", "lockedOutTime": 0, "expiryTime": 0, "expiry": "n/a", "actions": [ { "action": "Comment", "dateInLong": 1732761646000, "resultState": "INFO", "admin": "", "comment": "CMaintenanceThrd::DoRwExtensionsMaintenance(): Loaded from web. Extension count: 5600" } ], "possibleActions": [ "Comment", "Disable", "Lockout", "LogOff", "FileBlocked", "QuotaLimit", "Script" ], "signalStrengths": { "": 0 }, "predicted": {}, "isRoot": false, "monitorOnly": true, "peakMonitor": 0, "peakWarning": 0, "peakMajor": 0, "peakCritical": 0, "clientIPs": [], "numFiles": 0, "isAudit": false, "isRSW": false, "isNFSMonitorMode": false, "isSMBSnapshotEnabled": false, "isFilePolicy": false, "eventSource": "Superna Data Security Policy Engine", "displayUserActivity": false, "protocol": "", "snapshots": {}, "deletedSnapshots": [], "nfsProtocols": [], "isAPIEvent": false, "rswExtensions": [], "extraParams": {} } 2024-11-28 14:07:42,991 - INFO - Event severity 'INFO' does not match trigger severities: ['MAJOR', 'CRITICAL', 'WARNING']. Skipping. 2024-11-28 14:07:42,991 - INFO - Processing Event - RecordNumber: 16439268, EventID: 24, TimeGenerated: Wed Nov 27 13:36:21 2024, Source: Superna Data Security Essentials BOT Service 2024-11-28 14:07:42,991 - DEBUG - Raw JSON Payload: {"id":"24:0EC5DD26EA7C45F7AAADD8CA63EE9CDE","severity":"WARNING","state":"Comment","files":["C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt","C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt:Zone.Identifier","C:\\newserver\\mynewfolder\\mydata - Copy (9).txt","C:\\newserver\\mynewfolder\\mydata - Copy (9).txt:Zone.Identifier","C:\\newserver\\New folder","C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (13) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (19) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (27) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (37) - Copy - Copy.txt","C:\\newserver\\testfolder - Copy\\mydata - Copy (9).txt"],"rowKeys":[],"nes":["WIN-RS8MBDQN5MR"],"user":"S-1-5-21-1675147199-1333658167-3477523002-1117","userName":"adcto1.test\\demouser","shares":[],"detected":"Nov 27, 2024 06:36:21 PM","detectedTime":1732732581000,"firstSignalTimeStamp":1732732581000,"archivedTime":0,"lockedOut":"","lockedOutTime":0,"expiryTime":0,"expiry":"n/a","actions":[{"action":"Comment","dateInLong":1732732581000,"resultState":"WARNING","admin":"","comment":"Result of BOT Actions: Disable User: No action taken, Logoff User: No action taken, Deny Share: No action taken, Execute Cmd: No action taken"}],"possibleActions":["Comment","Disable","Lockout","LogOff","FileBlocked","QuotaLimit","Script"],"signalStrengths":{"badbehavior":496},"predicted":{},"isRoot":false,"monitorOnly":true,"peakMonitor":0,"peakWarning":0,"peakMajor":0,"peakCritical":0,"clientIPs":["172.31.1.45"],"numFiles":58,"isAudit":true,"isRSW":false,"isNFSMonitorMode":false,"isSMBSnapshotEnabled":false,"isFilePolicy":false,"eventSource":"Superna Data Security Essentials BOT Service","displayUserActivity":false,"protocol":"","snapshots":{},"deletedSnapshots":[],"nfsProtocols":[],"isAPIEvent":false,"rswExtensions":[],"extraParams":{}} 2024-11-28 14:07:42,991 - DEBUG - Parsed JSON: { "id": "24:0EC5DD26EA7C45F7AAADD8CA63EE9CDE", "severity": "WARNING", "state": "Comment", "files": [ "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (9).txt", "C:\\newserver\\mynewfolder\\mydata - Copy (9).txt:Zone.Identifier", "C:\\newserver\\New folder", "C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (13) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (19) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (27) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (37) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (9).txt" ], "rowKeys": [], "nes": [ "WIN-RS8MBDQN5MR" ], "user": "S-1-5-21-1675147199-1333658167-3477523002-1117", "userName": "adcto1.test\\demouser", "shares": [], "detected": "Nov 27, 2024 06:36:21 PM", "detectedTime": 1732732581000, "firstSignalTimeStamp": 1732732581000, "archivedTime": 0, "lockedOut": "", "lockedOutTime": 0, "expiryTime": 0, "expiry": "n/a", "actions": [ { "action": "Comment", "dateInLong": 1732732581000, "resultState": "WARNING", "admin": "", "comment": "Result of BOT Actions: Disable User: No action taken, Logoff User: No action taken, Deny Share: No action taken, Execute Cmd: No action taken" } ], "possibleActions": [ "Comment", "Disable", "Lockout", "LogOff", "FileBlocked", "QuotaLimit", "Script" ], "signalStrengths": { "badbehavior": 496 }, "predicted": {}, "isRoot": false, "monitorOnly": true, "peakMonitor": 0, "peakWarning": 0, "peakMajor": 0, "peakCritical": 0, "clientIPs": [ "172.31.1.45" ], "numFiles": 58, "isAudit": true, "isRSW": false, "isNFSMonitorMode": false, "isSMBSnapshotEnabled": false, "isFilePolicy": false, "eventSource": "Superna Data Security Essentials BOT Service", "displayUserActivity": false, "protocol": "", "snapshots": {}, "deletedSnapshots": [], "nfsProtocols": [], "isAPIEvent": false, "rswExtensions": [], "extraParams": {} } 2024-11-28 14:07:42,991 - DEBUG - Extracted Event: { "user": "S-1-5-21-1675147199-1333658167-3477523002-1117", "state": "Comment", "userName": "adcto1.test\\demouser", "protocol": "", "eventSource": "Superna Data Security Essentials BOT Service", "numFiles": 58, "nes": [ "WIN-RS8MBDQN5MR" ], "detected": "Nov 27, 2024 06:36:21 PM", "clientIPs": [ "172.31.1.45" ], "shares": [], "files": [ "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (9).txt", "C:\\newserver\\mynewfolder\\mydata - Copy (9).txt:Zone.Identifier", "C:\\newserver\\New folder", "C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (13) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (19) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (27) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (37) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (9).txt" ] } 2024-11-28 14:07:42,991 - INFO - Processing Event - RecordNumber: 16439265, EventID: 17, TimeGenerated: Wed Nov 27 13:08:34 2024, Source: Superna Data Security Essentials BOT Service 2024-11-28 14:07:42,991 - DEBUG - Raw JSON Payload: {"id":"17:EE1D86C8B178485DAD11EBE0C497ECE0","severity":"ERROR","state":"ERROR","files":[],"rowKeys":[],"nes":["WIN-RS8MBDQN5MR"],"user":"","userName":"","shares":[],"detected":"Nov 27, 2024 06:08:34 PM","detectedTime":1732730914000,"firstSignalTimeStamp":1732730914000,"archivedTime":0,"lockedOut":"","lockedOutTime":0,"expiryTime":0,"expiry":"n/a","actions":[{"action":"Comment","dateInLong":1732730914000,"resultState":"ERROR","admin":"","comment":"Could not load all SMTP info from the registry."}],"possibleActions":["Comment","Disable","Lockout","LogOff","FileBlocked","QuotaLimit","Script"],"signalStrengths":{"":0},"predicted":{},"isRoot":false,"monitorOnly":true,"peakMonitor":0,"peakWarning":0,"peakMajor":0,"peakCritical":0,"clientIPs":[],"numFiles":0,"isAudit":false,"isRSW":false,"isNFSMonitorMode":false,"isSMBSnapshotEnabled":false,"isFilePolicy":false,"eventSource":"Superna Data Security Essentials BOT Service","displayUserActivity":false,"protocol":"","snapshots":{},"deletedSnapshots":[],"nfsProtocols":[],"isAPIEvent":false,"rswExtensions":[],"extraParams":{}} 2024-11-28 14:07:42,991 - DEBUG - Parsed JSON: { "id": "17:EE1D86C8B178485DAD11EBE0C497ECE0", "severity": "ERROR", "state": "ERROR", "files": [], "rowKeys": [], "nes": [ "WIN-RS8MBDQN5MR" ], "user": "", "userName": "", "shares": [], "detected": "Nov 27, 2024 06:08:34 PM", "detectedTime": 1732730914000, "firstSignalTimeStamp": 1732730914000, "archivedTime": 0, "lockedOut": "", "lockedOutTime": 0, "expiryTime": 0, "expiry": "n/a", "actions": [ { "action": "Comment", "dateInLong": 1732730914000, "resultState": "ERROR", "admin": "", "comment": "Could not load all SMTP info from the registry." } ], "possibleActions": [ "Comment", "Disable", "Lockout", "LogOff", "FileBlocked", "QuotaLimit", "Script" ], "signalStrengths": { "": 0 }, "predicted": {}, "isRoot": false, "monitorOnly": true, "peakMonitor": 0, "peakWarning": 0, "peakMajor": 0, "peakCritical": 0, "clientIPs": [], "numFiles": 0, "isAudit": false, "isRSW": false, "isNFSMonitorMode": false, "isSMBSnapshotEnabled": false, "isFilePolicy": false, "eventSource": "Superna Data Security Essentials BOT Service", "displayUserActivity": false, "protocol": "", "snapshots": {}, "deletedSnapshots": [], "nfsProtocols": [], "isAPIEvent": false, "rswExtensions": [], "extraParams": {} } 2024-11-28 14:07:42,991 - INFO - Event severity 'ERROR' does not match trigger severities: ['MAJOR', 'CRITICAL', 'WARNING']. Skipping. 2024-11-28 14:07:42,991 - INFO - Processing Event - RecordNumber: 16439264, EventID: 17, TimeGenerated: Wed Nov 27 13:08:34 2024, Source: Superna Data Security Essentials BOT Service 2024-11-28 14:07:42,991 - DEBUG - Raw JSON Payload: {"id":"17:A169C7F79C13411F8F390B06E64C4A55","severity":"ERROR","state":"ERROR","files":[],"rowKeys":[],"nes":["WIN-RS8MBDQN5MR"],"user":"","userName":"","shares":[],"detected":"Nov 27, 2024 06:08:34 PM","detectedTime":1732730914000,"firstSignalTimeStamp":1732730914000,"archivedTime":0,"lockedOut":"","lockedOutTime":0,"expiryTime":0,"expiry":"n/a","actions":[{"action":"Comment","dateInLong":1732730914000,"resultState":"ERROR","admin":"","comment":"Could not load all SMTP info from the registry."}],"possibleActions":["Comment","Disable","Lockout","LogOff","FileBlocked","QuotaLimit","Script"],"signalStrengths":{"":0},"predicted":{},"isRoot":false,"monitorOnly":true,"peakMonitor":0,"peakWarning":0,"peakMajor":0,"peakCritical":0,"clientIPs":[],"numFiles":0,"isAudit":false,"isRSW":false,"isNFSMonitorMode":false,"isSMBSnapshotEnabled":false,"isFilePolicy":false,"eventSource":"Superna Data Security Essentials BOT Service","displayUserActivity":false,"protocol":"","snapshots":{},"deletedSnapshots":[],"nfsProtocols":[],"isAPIEvent":false,"rswExtensions":[],"extraParams":{}} 2024-11-28 14:07:42,991 - DEBUG - Parsed JSON: { "id": "17:A169C7F79C13411F8F390B06E64C4A55", "severity": "ERROR", "state": "ERROR", "files": [], "rowKeys": [], "nes": [ "WIN-RS8MBDQN5MR" ], "user": "", "userName": "", "shares": [], "detected": "Nov 27, 2024 06:08:34 PM", "detectedTime": 1732730914000, "firstSignalTimeStamp": 1732730914000, "archivedTime": 0, "lockedOut": "", "lockedOutTime": 0, "expiryTime": 0, "expiry": "n/a", "actions": [ { "action": "Comment", "dateInLong": 1732730914000, "resultState": "ERROR", "admin": "", "comment": "Could not load all SMTP info from the registry." } ], "possibleActions": [ "Comment", "Disable", "Lockout", "LogOff", "FileBlocked", "QuotaLimit", "Script" ], "signalStrengths": { "": 0 }, "predicted": {}, "isRoot": false, "monitorOnly": true, "peakMonitor": 0, "peakWarning": 0, "peakMajor": 0, "peakCritical": 0, "clientIPs": [], "numFiles": 0, "isAudit": false, "isRSW": false, "isNFSMonitorMode": false, "isSMBSnapshotEnabled": false, "isFilePolicy": false, "eventSource": "Superna Data Security Essentials BOT Service", "displayUserActivity": false, "protocol": "", "snapshots": {}, "deletedSnapshots": [], "nfsProtocols": [], "isAPIEvent": false, "rswExtensions": [], "extraParams": {} } 2024-11-28 14:07:42,991 - INFO - Event severity 'ERROR' does not match trigger severities: ['MAJOR', 'CRITICAL', 'WARNING']. Skipping. 2024-11-28 14:07:42,991 - DEBUG - No more events to read. 2024-11-28 14:07:42,991 - INFO - Saved last processed record: 16439268, Wed Nov 27 13:36:21 2024, EventID: 24 2024-11-28 14:07:42,991 - INFO - Total Events to Send: 1 2024-11-28 14:07:42,991 - DEBUG - Starting new HTTPS connection (1): 172.31.1.251:8088 2024-11-28 14:07:43,023 - DEBUG - https://172.31.1.251:8088 "POST /services/collector/event HTTP/11" 200 27 2024-11-28 14:07:43,023 - INFO - Event sent to Splunk successfully. 2024-11-28 14:07:43,023 - INFO - Successfully sent event to Splunk: { "user": "S-1-5-21-1675147199-1333658167-3477523002-1117", "state": "Comment", "userName": "adcto1.test\\demouser", "protocol": "", "eventSource": "Superna Data Security Essentials BOT Service", "numFiles": 58, "nes": [ "WIN-RS8MBDQN5MR" ], "detected": "Nov 27, 2024 06:36:21 PM", "clientIPs": [ "172.31.1.45" ], "shares": [], "files": [ "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (10) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (11) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (12) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (13) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (19) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (20) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (27) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (34) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (35) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (36) - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt", "C:\\newserver\\mynewfolder\\mydata - Copy (37) - Copy - Copy.txt:Zone.Identifier", "C:\\newserver\\mynewfolder\\mydata - Copy (9).txt", "C:\\newserver\\mynewfolder\\mydata - Copy (9).txt:Zone.Identifier", "C:\\newserver\\New folder", "C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (10) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (11) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (12) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (13) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (19) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (20) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (27) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (34) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (35) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (36) - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (37) - Copy - Copy.txt", "C:\\newserver\\testfolder - Copy\\mydata - Copy (9).txt" ] }