From 51e4bbc75511e795ec4ed350de399c9dfaf5921e Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 13:45:48 -0400 Subject: [PATCH 01/14] Publish documentation with git --- .github/workflows/publish-test-docs-only.yml | 31 ++++++++++++-------- .github/workflows/publish.yml | 3 +- .github/workflows/test.yml | 3 +- msiempy/__init__.py | 5 +++- 4 files changed, 26 insertions(+), 16 deletions(-) diff --git a/.github/workflows/publish-test-docs-only.yml b/.github/workflows/publish-test-docs-only.yml index 7282821..7e8e7ee 100644 --- a/.github/workflows/publish-test-docs-only.yml +++ b/.github/workflows/publish-test-docs-only.yml @@ -17,6 +17,9 @@ jobs: steps: - uses: actions/checkout@v2 + with: + # Fetches entire history, so we can analyze commits since last tag + fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: @@ -37,19 +40,23 @@ jobs: rm -rf ./mfesiem.github.io/docs/test/msiempy cp -r ./docs_tmp/msiempy mfesiem.github.io/docs/test/ - # pyreverse -s 1 -f PUB_ONLY -o png -m y msiempy - # mv ./classes.png ./mfesiem.github.io/docs/test/msiempy - # mv ./packages.png ./mfesiem.github.io/docs/test/msiempy + # Ignore any errors on diagram generation + set +e + pyreverse -s 1 -f PUB_ONLY -o png -m y msiempy + mv ./classes.png ./mfesiem.github.io/docs/test/msiempy + mv ./packages.png ./mfesiem.github.io/docs/test/msiempy + set -e - name: Publish documentation - uses: peaceiris/actions-gh-pages@v3 - with: - deploy_key: ${{ secrets.MFESIEM_GITHUB_IO_PRIVATE_KEY }} - external_repository: mfesiem/mfesiem.github.io - publish_dir: mfesiem.github.io - publish_branch: 'master' - user_name: 'Github Actions' - user_email: "actions@github.com" - commit_message: "Generate documentation - develop" + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + run: | + git config --global user.email "actions@github.com" + git config --global user.name "Github actions" + ref = "$(git log --pretty=tformat:'%h' -n 1)" + cd mfesiem.github.io + git add . + git commit -m "Generate documentation - develop mfesiem/msiempy@${ref}" + git push \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 4683b5f..42c65ed 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -85,7 +85,8 @@ jobs: run: | version="$(python setup.py --version)" last_tag="$(git --no-pager tag -l | tail -1)" - git --no-pager log ${last_tag}.. --pretty=oneline > ./tmp_tag.txt + echo "msiempy ${version}" > ./tmp_tag.txt + git --no-pager log ${last_tag}.. --pretty=oneline >> ./tmp_tag.txt git config --global user.email "actions@github.com" git config --global user.name "Github actions" git tag -a ${version} -F ./tmp_tag.txt diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d180861..ca95208 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,7 +1,7 @@ name: test on: schedule: - - cron: '0 0 1,15 * *' + - cron: '0 0 1,7,15,23 * *' jobs: test: @@ -25,7 +25,6 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - python -m pip install -r requirements.txt python -m pip install . python -m pip show msiempy diff --git a/msiempy/__init__.py b/msiempy/__init__.py index 09d5d94..fe36baf 100644 --- a/msiempy/__init__.py +++ b/msiempy/__init__.py @@ -251,7 +251,7 @@ """ # List all library objects that the user might need - +__pdoc__= {} from .core import NitroConfig, NitroError, NitroSession, FilteredQueryList, NitroList from .alarm import Alarm, AlarmManager from .device import ESM, DevTree, DataSource @@ -264,3 +264,6 @@ GroupedEvent, ) from .watchlist import Watchlist, WatchlistManager +from .__version__ import __version__ +VERSION = __version__ +__pdoc__['VERSION'] = """Project version: {}""".format(VERSION) \ No newline at end of file From 69662d667d5a84aeca79b7ef796ffd2b26ef333e Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 13:48:23 -0400 Subject: [PATCH 02/14] fix syntax --- .github/workflows/publish-test-docs-only.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-test-docs-only.yml b/.github/workflows/publish-test-docs-only.yml index 7e8e7ee..c086a9d 100644 --- a/.github/workflows/publish-test-docs-only.yml +++ b/.github/workflows/publish-test-docs-only.yml @@ -53,7 +53,7 @@ jobs: run: | git config --global user.email "actions@github.com" git config --global user.name "Github actions" - ref = "$(git log --pretty=tformat:'%h' -n 1)" + ref="$(git log --pretty=tformat:'%h' -n 1)" cd mfesiem.github.io git add . git commit -m "Generate documentation - develop mfesiem/msiempy@${ref}" From 309525d81664f7f65aef7001aaa4e4def9552476 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 14:40:25 -0400 Subject: [PATCH 03/14] Roll back to using peaceiris/actions-gh-pages@v3 --- .github/workflows/publish-test-docs-only.yml | 20 ++++++++++---------- .github/workflows/publish.yml | 1 + 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/publish-test-docs-only.yml b/.github/workflows/publish-test-docs-only.yml index c086a9d..c59c723 100644 --- a/.github/workflows/publish-test-docs-only.yml +++ b/.github/workflows/publish-test-docs-only.yml @@ -27,6 +27,7 @@ jobs: - name: Install dependencies run: | + apt-get install graphviz python -m pip install --upgrade pip python -m pip install -r requirements.txt python -m pip install . @@ -48,15 +49,14 @@ jobs: set -e - name: Publish documentation - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - run: | - git config --global user.email "actions@github.com" - git config --global user.name "Github actions" - ref="$(git log --pretty=tformat:'%h' -n 1)" - cd mfesiem.github.io - git add . - git commit -m "Generate documentation - develop mfesiem/msiempy@${ref}" - git push + uses: peaceiris/actions-gh-pages@v3 + with: + deploy_key: ${{ secrets.MFESIEM_GITHUB_IO_PRIVATE_KEY }} + external_repository: mfesiem/mfesiem.github.io + publish_dir: mfesiem.github.io + publish_branch: 'master' + user_name: 'Github Actions' + user_email: "actions@github.com" + commit_message: "Generate documentation - master" \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 42c65ed..c14f8d8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,6 +27,7 @@ jobs: - name: Install dependencies run: | + apt-get install graphviz python -m pip install --upgrade pip setuptools wheel python -m pip install -r requirements.txt python -m pip install . From a77033f8ee774ec040306bcbe530f01a48ef4155 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 14:48:46 -0400 Subject: [PATCH 04/14] enable_jekyll --- .github/workflows/publish-test-docs-only.yml | 1 + .github/workflows/publish.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/publish-test-docs-only.yml b/.github/workflows/publish-test-docs-only.yml index c59c723..1fde40d 100644 --- a/.github/workflows/publish-test-docs-only.yml +++ b/.github/workflows/publish-test-docs-only.yml @@ -58,5 +58,6 @@ jobs: user_name: 'Github Actions' user_email: "actions@github.com" commit_message: "Generate documentation - master" + enable_jekyll: true \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c14f8d8..aa836fa 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -70,6 +70,7 @@ jobs: user_name: 'Github Actions' user_email: "actions@github.com" commit_message: "Generate documentation - master" + enable_jekyll: true - name: Build msiempy run: python3 setup.py --quiet build check sdist bdist_wheel From 31920b7e1f48356b2896fcb0bac74d2da07987f1 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 14:50:18 -0400 Subject: [PATCH 05/14] Fix graphviz install --- .github/workflows/publish-test-docs-only.yml | 2 +- .github/workflows/publish.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-test-docs-only.yml b/.github/workflows/publish-test-docs-only.yml index 1fde40d..5ad545a 100644 --- a/.github/workflows/publish-test-docs-only.yml +++ b/.github/workflows/publish-test-docs-only.yml @@ -27,7 +27,7 @@ jobs: - name: Install dependencies run: | - apt-get install graphviz + sudo apt-get install graphviz python -m pip install --upgrade pip python -m pip install -r requirements.txt python -m pip install . diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index aa836fa..18aeea1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,7 +27,7 @@ jobs: - name: Install dependencies run: | - apt-get install graphviz + sudo apt-get install graphviz python -m pip install --upgrade pip setuptools wheel python -m pip install -r requirements.txt python -m pip install . @@ -56,9 +56,9 @@ jobs: rm -rf ./mfesiem.github.io/docs/msiempy cp -r ./docs_tmp/msiempy mfesiem.github.io/docs/ - # pyreverse -s 1 -f PUB_ONLY -o png -m y msiempy - # mv ./classes.png ./mfesiem.github.io/docs/msiempy - # mv ./packages.png ./mfesiem.github.io/docs/msiempy + pyreverse -s 1 -f PUB_ONLY -o png -m y msiempy + mv ./classes.png ./mfesiem.github.io/docs/msiempy + mv ./packages.png ./mfesiem.github.io/docs/msiempy - name: Publish documentation uses: peaceiris/actions-gh-pages@v3 From 5ba737fd7117ff289d142e342079955318cf9802 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 15:09:23 -0400 Subject: [PATCH 06/14] display version in docs --- .github/workflows/publish-test-docs-only.yml | 6 +- .github/workflows/publish.yml | 2 +- classes.dot | 52 ++++++ classes.vcg | 180 +++++++++++++++++++ msiempy/__init__.py | 10 +- packages.dot | 43 +++++ packages.vcg | 150 ++++++++++++++++ val.txt | 4 + 8 files changed, 438 insertions(+), 9 deletions(-) create mode 100644 classes.dot create mode 100644 classes.vcg create mode 100644 packages.dot create mode 100644 packages.vcg create mode 100644 val.txt diff --git a/.github/workflows/publish-test-docs-only.yml b/.github/workflows/publish-test-docs-only.yml index 5ad545a..a8401d3 100644 --- a/.github/workflows/publish-test-docs-only.yml +++ b/.github/workflows/publish-test-docs-only.yml @@ -33,7 +33,7 @@ jobs: python -m pip install . python -m pip show msiempy - - name: Generate documentation + - name: Generate test documentation run: | python3 -m pdoc msiempy --output-dir docs_tmp --html --force --template-dir ./.pdoc_templates @@ -48,7 +48,7 @@ jobs: mv ./packages.png ./mfesiem.github.io/docs/test/msiempy set -e - - name: Publish documentation + - name: Publish test documentation to https://mfesiem.github.io/docs/test/msiempy/index.html uses: peaceiris/actions-gh-pages@v3 with: deploy_key: ${{ secrets.MFESIEM_GITHUB_IO_PRIVATE_KEY }} @@ -57,7 +57,7 @@ jobs: publish_branch: 'master' user_name: 'Github Actions' user_email: "actions@github.com" - commit_message: "Generate documentation - master" + commit_message: "Generate documentation - develop" enable_jekyll: true \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 18aeea1..49df2b1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -60,7 +60,7 @@ jobs: mv ./classes.png ./mfesiem.github.io/docs/msiempy mv ./packages.png ./mfesiem.github.io/docs/msiempy - - name: Publish documentation + - name: Publish documentation to https://mfesiem.github.io/docs/msiempy/index.html uses: peaceiris/actions-gh-pages@v3 with: deploy_key: ${{ secrets.MFESIEM_GITHUB_IO_PRIVATE_KEY }} diff --git a/classes.dot b/classes.dot new file mode 100644 index 0000000..56904ed --- /dev/null +++ b/classes.dot @@ -0,0 +1,52 @@ +digraph "classes" { +charset="utf-8" +rankdir=BT +"0" [label="{datetime.datetime|fold\lhour\lmicrosecond\lminute\lsecond\ltzinfo\l|astimezone(tz)\lcombine(cls, date, time, tzinfo)\lctime()\ldate()\ldst()\lfromisoformat(cls, date_string)\lfromtimestamp(cls, t, tz)\lisoformat(sep, timespec)\lnow(cls, tz)\lreplace(year, month, day, hour, minute, second, microsecond, tzinfo)\lstrptime(cls, date_string, format)\ltime()\ltimestamp()\ltimetuple()\ltimetz()\ltzname()\lutcfromtimestamp(cls, t)\lutcnow(cls)\lutcoffset()\lutctimetuple()\l}", shape="record"]; +"1" [label="{msiempy.alarm.Alarm|ALARM_DEFAULT_FIELDS : list\lALARM_EVENT_FILTER_FIELDS : list\lALARM_FIELDS_MAP : dict\lPOSSIBLE_ALARM_STATUS : list\l|acknowledge()\lceate_case()\ldata_from_id(id, use_priv)\ldelete()\lget_id()\lload_details()\lload_events(use_query, extra_fields, workers)\lmap_alarm_int_fields(alarm_details)\lrefresh()\lunacknowledge()\l}", shape="record"]; +"2" [label="{msiempy.alarm.AlarmManager|data\levent_filters\levent_filters : NoneType\lpage_size : int\lstatus_filter\lstatus_filter : str\l|add_event_filter(afilter)\ladd_filter(afilter)\lclear_filters()\lload_data(pages)\lqry_load_data(workers, alarms_details, events_details, use_query, extra_fields, page_number)\l}", shape="record"]; +"3" [label="{msiempy.core.config.NitroConfig|CONFIG_FILE_NAME : str\lCONF_DIR : str\lDEFAULT_CONF_DICT : dict\lhost\llogfile\lpasswd\lquiet\lssl_verify\ltimeout\luser\lverbose\l|find_ini_location()\liset(section, option, secure)\lwrite()\l}", shape="record"]; +"4" [label="{msiempy.core.query.FilteredQueryList|DEFAULT_TIME_RANGE : str\lPOSSIBLE_TIME_RANGE : list\lend_time\lend_time : NoneType\lfilters\lfilters : NoneType\lnot_completed : bool\lstart_time\lstart_time : NoneType\ltime_range\ltime_range : str, NoneType\l|add_filter(filter)\lclear_filters()\lload_data()\lqry_load_data()\l}", shape="record"]; +"5" [fontcolor="red", label="{msiempy.core.session.NitroError|\l|}", shape="record"]; +"6" [label="{msiempy.core.session.NitroSession|BASE_URL : str\lBASE_URL_PRIV : str\lPARAMS : dict\lapi_v : int\lconfig : NoneType\lesm_v : str\llogged_in : bool\llogin_info : dict\lsession\luser_tz_id : NoneType\l|api_request(method, data, http, callback, raw, secure, retry)\lbuildstamp()\lesm_request()\lget_internal_file(file_token)\llogin(retry)\llogout()\lrequest(request)\lversion()\l}", shape="record"]; +"7" [label="{msiempy.core.types.NitroDict|data : NoneType\ljson\ltext\l|data_from_id(id)\lget_id()\l}", shape="record"]; +"8" [label="{msiempy.core.types.NitroJSONEncoder|\l|default(obj)\l}", shape="record"]; +"9" [label="{msiempy.core.types.NitroList|json\ltext\l|get_text(format, fields, max_column_width, get_text_nest_attr)\lkeys()\lperform(func, data, func_args, confirm, asynch, workers, progress, message)\lrefresh()\lsearch()\l}", shape="record"]; +"10" [label="{msiempy.core.types.NitroObject|json\lnitro\ltext\l|refresh()\l}", shape="record"]; +"11" [label="{msiempy.device.DataSource|\l|data_from_id(id)\ldelete()\ldelete_client()\lget_id()\lload_details()\lrefresh()\l}", shape="record"]; +"12" [label="{msiempy.device.DevTree|data : NoneType\ldevicetree : list\l|add(attr)\ladd_client(attr)\lbuild_devtree()\lduplicate_datasource(ds_params)\lrecs()\lrefresh()\lsearch(term, zone_id)\lsearch_ds_group(field, term, zone_id)\l}", shape="record"]; +"13" [label="{msiempy.device.ESM|json\ltext\l|backup_status()\lbuildstamp()\lcallhome()\ldisks()\lget_alerts(ds_id, flows)\lram()\lrecs()\lrefresh()\lrules_history()\lrules_status()\lstatus()\ltime()\ltimezones()\ltype_id_to_venmod(type_id)\ltz_id_to_name(tz_id)\ltz_name_to_id(tz_name)\ltz_offsets()\lvenmod_to_type_id(vendor, model)\lversion()\l}", shape="record"]; +"14" [label="{msiempy.event.Event|DEFAULTS_EVENT_FIELDS : list\lFIELDS_TABLES : list\lREGULAR_EVENT_FIELDS : list\lSIEM_FIELDS_MAP_INTERNAL_NAME_TO_NICKNAME : dict\lSIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME : dict\ldata\l|clear_notes()\ldata_from_id(id, use_query, extra_fields)\lget_id()\lrefresh(use_query, extra_fields)\lset_note(note, no_date)\l}", shape="record"]; +"15" [label="{msiempy.event.EventManager|POSSBILE_ROW_ORDER : list\ldata\lfields : list\llimit : int\lnot_completed : bool\lorder\lorder : NoneType\lstart_time\l|clear_filters()\lget_possible_fields()\lget_possible_filters()\lload_data(workers, slots, delta, max_query_depth)\lqry_load_data(retry, wait_timeout_sec)\l}", shape="record"]; +"16" [label="{msiempy.event.FieldFilter|DOCUMENTED_FILTERS : list\lPOSSIBLE_OPERATORS : list\lPOSSIBLE_VALUE_TYPES : list\ldata : dict\lname\loperator\loperator : str\lvalues\lvalues\l|add_basic_value(value)\ladd_value(type)\l}", shape="record"]; +"17" [label="{msiempy.event.GroupFilter|data : dict\l|}", shape="record"]; +"18" [label="{msiempy.event.GroupedEvent|SIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME : dict\l|}", shape="record"]; +"19" [label="{msiempy.event.GroupedEventManager|data\lfield : NoneType\l|clear_filters()\lload_data()\lqry_load_data(num_rows, retry, wait_timeout_sec)\l}", shape="record"]; +"20" [label="{msiempy.event._QueryExecuteManager|\l|add_filter(afilter)\lget_field_nickname(field)\l}", shape="record"]; +"21" [label="{msiempy.event._QueryFilter|\l|}", shape="record"]; +"22" [label="{msiempy.watchlist.Watchlist|\l|add_values(values)\ldata_from_id(id)\lget_id()\lload_details()\lload_values()\lrefresh()\lremove_values(values)\l}", shape="record"]; +"23" [label="{msiempy.watchlist.WatchlistManager|data : NoneType\l|add(name, wl_type)\lget_watchlist_summary()\lget_wl_types()\lload_details()\lrefresh()\lremove(wl_id_list)\l}", shape="record"]; +"24" [label="{requests.sessions.Session|adapters : OrderedDict\lauth : NoneType\lcert : NoneType\lcookies : NoneType, RequestsCookieJar\lheaders : dict, CaseInsensitiveDict\lhooks\lmax_redirects : int\lparams : dict\lproxies : dict\lstream : bool\ltrust_env : bool\lverify : bool\l|close()\ldelete(url)\lget(url)\lget_adapter(url)\lhead(url)\lmerge_environment_settings(url, proxies, stream, verify, cert)\lmount(prefix, adapter)\loptions(url)\lpatch(url, data)\lpost(url, data, json)\lprepare_request(request)\lput(url, data)\lrequest(method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)\lsend(request)\l}", shape="record"]; +"1" -> "7" [arrowhead="empty", arrowtail="none"]; +"2" -> "4" [arrowhead="empty", arrowtail="none"]; +"4" -> "9" [arrowhead="empty", arrowtail="none"]; +"7" -> "10" [arrowhead="empty", arrowtail="none"]; +"9" -> "10" [arrowhead="empty", arrowtail="none"]; +"11" -> "7" [arrowhead="empty", arrowtail="none"]; +"12" -> "9" [arrowhead="empty", arrowtail="none"]; +"13" -> "10" [arrowhead="empty", arrowtail="none"]; +"14" -> "7" [arrowhead="empty", arrowtail="none"]; +"15" -> "20" [arrowhead="empty", arrowtail="none"]; +"16" -> "21" [arrowhead="empty", arrowtail="none"]; +"17" -> "21" [arrowhead="empty", arrowtail="none"]; +"18" -> "14" [arrowhead="empty", arrowtail="none"]; +"19" -> "20" [arrowhead="empty", arrowtail="none"]; +"20" -> "4" [arrowhead="empty", arrowtail="none"]; +"22" -> "7" [arrowhead="empty", arrowtail="none"]; +"23" -> "9" [arrowhead="empty", arrowtail="none"]; +"0" -> "4" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="start_time", style="solid"]; +"0" -> "4" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="end_time", style="solid"]; +"3" -> "6" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="config", style="solid"]; +"6" -> "10" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="nitro", style="solid"]; +"24" -> "6" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="session", style="solid"]; +"24" -> "6" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="session", style="solid"]; +} diff --git a/classes.vcg b/classes.vcg new file mode 100644 index 0000000..24c0b6c --- /dev/null +++ b/classes.vcg @@ -0,0 +1,180 @@ +graph:{ + title:"classes" + layoutalgorithm:dfs + late_edge_labels:yes + port_sharing:no + manhattan_edges:yes + node: {title:"0" label:"\fbdatetime.datetime\fn\n\f___________________\n\f08fold\n\f08hour\n\f08microsecond\n\f08minute\n\f08second\n\f08tzinfo\n\f___________________\n\f10astimezone()\n\f10combine()\n\f10ctime()\n\f10date()\n\f10dst()\n\f10fromisoformat()\n\f10fromtimestamp()\n\f10isoformat()\n\f10now()\n\f10replace()\n\f10strptime()\n\f10time()\n\f10timestamp()\n\f10timetuple()\n\f10timetz()\n\f10tzname()\n\f10utcfromtimestamp()\n\f10utcnow()\n\f10utcoffset()\n\f10utctimetuple()" + shape:box +} + node: {title:"1" label:"\fbmsiempy.alarm.Alarm\fn\n\f__________________________________\n\f08ALARM_DEFAULT_FIELDS : list\n\f08ALARM_EVENT_FILTER_FIELDS : list\n\f08ALARM_FIELDS_MAP : dict\n\f08POSSIBLE_ALARM_STATUS : list\n\f__________________________________\n\f10acknowledge()\n\f10ceate_case()\n\f10data_from_id()\n\f10delete()\n\f10get_id()\n\f10load_details()\n\f10load_events()\n\f10map_alarm_int_fields()\n\f10refresh()\n\f10unacknowledge()" + shape:box +} + node: {title:"2" label:"\fbmsiempy.alarm.AlarmManager\fn\n\f____________________________\n\f08data\n\f08event_filters\n\f08event_filters : NoneType\n\f08page_size : int\n\f08status_filter\n\f08status_filter : str\n\f____________________________\n\f10add_event_filter()\n\f10add_filter()\n\f10clear_filters()\n\f10load_data()\n\f10qry_load_data()" + shape:box +} + node: {title:"3" label:"\fbmsiempy.core.config.NitroConfig\fn\n\f_________________________________\n\f08CONFIG_FILE_NAME : str\n\f08CONF_DIR : str\n\f08DEFAULT_CONF_DICT : dict\n\f08host\n\f08logfile\n\f08passwd\n\f08quiet\n\f08ssl_verify\n\f08timeout\n\f08user\n\f08verbose\n\f_________________________________\n\f10find_ini_location()\n\f10iset()\n\f10write()" + shape:box +} + node: {title:"4" label:"\fbmsiempy.core.query.FilteredQueryList\fn\n\f______________________________________\n\f08DEFAULT_TIME_RANGE : str\n\f08POSSIBLE_TIME_RANGE : list\n\f08end_time\n\f08end_time : NoneType\n\f08filters\n\f08filters : NoneType\n\f08not_completed : bool\n\f08start_time\n\f08start_time : NoneType\n\f08time_range\n\f08time_range : str, NoneType\n\f______________________________________\n\f10add_filter()\n\f10clear_filters()\n\f10load_data()\n\f10qry_load_data()" + shape:box +} + node: {title:"5" label:"\fb\f09msiempy.core.session.NitroError\fn\n\f_________________________________" + shape:box +} + node: {title:"6" label:"\fbmsiempy.core.session.NitroSession\fn\n\f___________________________________\n\f08BASE_URL : str\n\f08BASE_URL_PRIV : str\n\f08PARAMS : dict\n\f08api_v : int\n\f08config : NoneType\n\f08esm_v : str\n\f08logged_in : bool\n\f08login_info : dict\n\f08session\n\f08user_tz_id : NoneType\n\f___________________________________\n\f10api_request()\n\f10buildstamp()\n\f10esm_request()\n\f10get_internal_file()\n\f10login()\n\f10logout()\n\f10request()\n\f10version()" + shape:box +} + node: {title:"7" label:"\fbmsiempy.core.types.NitroDict\fn\n\f______________________________\n\f08data : NoneType\n\f08json\n\f08text\n\f______________________________\n\f10data_from_id()\n\f10get_id()" + shape:box +} + node: {title:"8" label:"\fbmsiempy.core.types.NitroJSONEncoder\fn\n\f_____________________________________\n\f10default()" + shape:box +} + node: {title:"9" label:"\fbmsiempy.core.types.NitroList\fn\n\f______________________________\n\f08json\n\f08text\n\f______________________________\n\f10get_text()\n\f10keys()\n\f10perform()\n\f10refresh()\n\f10search()" + shape:box +} + node: {title:"10" label:"\fbmsiempy.core.types.NitroObject\fn\n\f________________________________\n\f08json\n\f08nitro\n\f08text\n\f________________________________\n\f10refresh()" + shape:box +} + node: {title:"11" label:"\fbmsiempy.device.DataSource\fn\n\f___________________________\n\f10data_from_id()\n\f10delete()\n\f10delete_client()\n\f10get_id()\n\f10load_details()\n\f10refresh()" + shape:box +} + node: {title:"12" label:"\fbmsiempy.device.DevTree\fn\n\f________________________\n\f08data : NoneType\n\f08devicetree : list\n\f________________________\n\f10add()\n\f10add_client()\n\f10build_devtree()\n\f10duplicate_datasource()\n\f10recs()\n\f10refresh()\n\f10search()\n\f10search_ds_group()" + shape:box +} + node: {title:"13" label:"\fbmsiempy.device.ESM\fn\n\f____________________\n\f08json\n\f08text\n\f____________________\n\f10backup_status()\n\f10buildstamp()\n\f10callhome()\n\f10disks()\n\f10get_alerts()\n\f10ram()\n\f10recs()\n\f10refresh()\n\f10rules_history()\n\f10rules_status()\n\f10status()\n\f10time()\n\f10timezones()\n\f10type_id_to_venmod()\n\f10tz_id_to_name()\n\f10tz_name_to_id()\n\f10tz_offsets()\n\f10venmod_to_type_id()\n\f10version()" + shape:box +} + node: {title:"14" label:"\fbmsiempy.event.Event\fn\n\f__________________________________________________\n\f08DEFAULTS_EVENT_FIELDS : list\n\f08FIELDS_TABLES : list\n\f08REGULAR_EVENT_FIELDS : list\n\f08SIEM_FIELDS_MAP_INTERNAL_NAME_TO_NICKNAME : dict\n\f08SIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME : dict\n\f08data\n\f__________________________________________________\n\f10clear_notes()\n\f10data_from_id()\n\f10get_id()\n\f10refresh()\n\f10set_note()" + shape:box +} + node: {title:"15" label:"\fbmsiempy.event.EventManager\fn\n\f____________________________\n\f08POSSBILE_ROW_ORDER : list\n\f08data\n\f08fields : list\n\f08limit : int\n\f08not_completed : bool\n\f08order\n\f08order : NoneType\n\f08start_time\n\f____________________________\n\f10clear_filters()\n\f10get_possible_fields()\n\f10get_possible_filters()\n\f10load_data()\n\f10qry_load_data()" + shape:box +} + node: {title:"16" label:"\fbmsiempy.event.FieldFilter\fn\n\f_____________________________\n\f08DOCUMENTED_FILTERS : list\n\f08POSSIBLE_OPERATORS : list\n\f08POSSIBLE_VALUE_TYPES : list\n\f08data : dict\n\f08name\n\f08operator\n\f08operator : str\n\f08values\n\f08values\n\f_____________________________\n\f10add_basic_value()\n\f10add_value()" + shape:box +} + node: {title:"17" label:"\fbmsiempy.event.GroupFilter\fn\n\f___________________________\n\f08data : dict\n\f___________________________" + shape:box +} + node: {title:"18" label:"\fbmsiempy.event.GroupedEvent\fn\n\f__________________________________________________\n\f08SIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME : dict\n\f__________________________________________________" + shape:box +} + node: {title:"19" label:"\fbmsiempy.event.GroupedEventManager\fn\n\f___________________________________\n\f08data\n\f08field : NoneType\n\f___________________________________\n\f10clear_filters()\n\f10load_data()\n\f10qry_load_data()" + shape:box +} + node: {title:"20" label:"\fbmsiempy.event._QueryExecuteManager\fn\n\f____________________________________\n\f10add_filter()\n\f10get_field_nickname()" + shape:box +} + node: {title:"21" label:"\fbmsiempy.event._QueryFilter\fn\n\f____________________________" + shape:box +} + node: {title:"22" label:"\fbmsiempy.watchlist.Watchlist\fn\n\f_____________________________\n\f10add_values()\n\f10data_from_id()\n\f10get_id()\n\f10load_details()\n\f10load_values()\n\f10refresh()\n\f10remove_values()" + shape:box +} + node: {title:"23" label:"\fbmsiempy.watchlist.WatchlistManager\fn\n\f____________________________________\n\f08data : NoneType\n\f____________________________________\n\f10add()\n\f10get_watchlist_summary()\n\f10get_wl_types()\n\f10load_details()\n\f10refresh()\n\f10remove()" + shape:box +} + node: {title:"24" label:"\fbrequests.sessions.Session\fn\n\f_______________________________________\n\f08adapters : OrderedDict\n\f08auth : NoneType\n\f08cert : NoneType\n\f08cookies : RequestsCookieJar, NoneType\n\f08headers : dict, CaseInsensitiveDict\n\f08hooks\n\f08max_redirects : int\n\f08params : dict\n\f08proxies : dict\n\f08stream : bool\n\f08trust_env : bool\n\f08verify : bool\n\f_______________________________________\n\f10close()\n\f10delete()\n\f10get()\n\f10get_adapter()\n\f10head()\n\f10merge_environment_settings()\n\f10mount()\n\f10options()\n\f10patch()\n\f10post()\n\f10prepare_request()\n\f10put()\n\f10request()\n\f10send()" + shape:box +} + edge: {sourcename:"1" targetname:"7" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"2" targetname:"4" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"4" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"7" targetname:"10" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"9" targetname:"10" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"11" targetname:"7" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"12" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"13" targetname:"10" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"14" targetname:"7" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"15" targetname:"20" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"16" targetname:"21" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"17" targetname:"21" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"18" targetname:"14" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"19" targetname:"20" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"20" targetname:"4" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"22" targetname:"7" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"23" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:10 +} + edge: {sourcename:"0" targetname:"4" label:"start_time" + arrowstyle:solid + backarrowstyle:none + textcolor:green +} + edge: {sourcename:"0" targetname:"4" label:"end_time" + arrowstyle:solid + backarrowstyle:none + textcolor:green +} + edge: {sourcename:"3" targetname:"6" label:"config" + arrowstyle:solid + backarrowstyle:none + textcolor:green +} + edge: {sourcename:"6" targetname:"10" label:"nitro" + arrowstyle:solid + backarrowstyle:none + textcolor:green +} + edge: {sourcename:"24" targetname:"6" label:"session" + arrowstyle:solid + backarrowstyle:none + textcolor:green +} + edge: {sourcename:"24" targetname:"6" label:"session" + arrowstyle:solid + backarrowstyle:none + textcolor:green +} +} diff --git a/msiempy/__init__.py b/msiempy/__init__.py index fe36baf..767cc05 100644 --- a/msiempy/__init__.py +++ b/msiempy/__init__.py @@ -1,5 +1,6 @@ # -*- coding: utf-8 -*- -""" +__pdoc__= {} +__pdoc__['msiempy']=""" Welcome to the **msiempy** library documentation. The pythonic way to deal with McAfee SIEM API. Head out to one of the sub-modules to see objects definitions or scroll down for general documentation. @@ -251,7 +252,7 @@ """ # List all library objects that the user might need -__pdoc__= {} + from .core import NitroConfig, NitroError, NitroSession, FilteredQueryList, NitroList from .alarm import Alarm, AlarmManager from .device import ESM, DevTree, DataSource @@ -264,6 +265,5 @@ GroupedEvent, ) from .watchlist import Watchlist, WatchlistManager -from .__version__ import __version__ -VERSION = __version__ -__pdoc__['VERSION'] = """Project version: {}""".format(VERSION) \ No newline at end of file +from .__version__ import __version__ as VERSION +__pdoc__['msiempy.VERSION'] = "msiempy {}".format(VERSION) \ No newline at end of file diff --git a/packages.dot b/packages.dot new file mode 100644 index 0000000..4cb0fa8 --- /dev/null +++ b/packages.dot @@ -0,0 +1,43 @@ +digraph "packages" { +charset="utf-8" +rankdir=BT +"0" [label="msiempy", shape="box"]; +"1" [label="msiempy.__utils__", shape="box"]; +"2" [label="msiempy.__version__", shape="box"]; +"3" [label="msiempy.alarm", shape="box"]; +"4" [label="msiempy.core", shape="box"]; +"5" [label="msiempy.core.config", shape="box"]; +"6" [label="msiempy.core.query", shape="box"]; +"7" [label="msiempy.core.session", shape="box"]; +"8" [label="msiempy.core.types", shape="box"]; +"9" [label="msiempy.core.utils", shape="box"]; +"10" [label="msiempy.device", shape="box"]; +"11" [label="msiempy.event", shape="box"]; +"12" [label="msiempy.watchlist", shape="box"]; +"0" -> "3" [arrowhead="open", arrowtail="none"]; +"0" -> "4" [arrowhead="open", arrowtail="none"]; +"0" -> "10" [arrowhead="open", arrowtail="none"]; +"0" -> "11" [arrowhead="open", arrowtail="none"]; +"0" -> "12" [arrowhead="open", arrowtail="none"]; +"1" -> "9" [arrowhead="open", arrowtail="none"]; +"3" -> "4" [arrowhead="open", arrowtail="none"]; +"3" -> "9" [arrowhead="open", arrowtail="none"]; +"3" -> "11" [arrowhead="open", arrowtail="none"]; +"4" -> "5" [arrowhead="open", arrowtail="none"]; +"4" -> "6" [arrowhead="open", arrowtail="none"]; +"4" -> "7" [arrowhead="open", arrowtail="none"]; +"4" -> "8" [arrowhead="open", arrowtail="none"]; +"5" -> "9" [arrowhead="open", arrowtail="none"]; +"6" -> "8" [arrowhead="open", arrowtail="none"]; +"6" -> "9" [arrowhead="open", arrowtail="none"]; +"7" -> "5" [arrowhead="open", arrowtail="none"]; +"7" -> "9" [arrowhead="open", arrowtail="none"]; +"8" -> "7" [arrowhead="open", arrowtail="none"]; +"8" -> "9" [arrowhead="open", arrowtail="none"]; +"10" -> "4" [arrowhead="open", arrowtail="none"]; +"10" -> "9" [arrowhead="open", arrowtail="none"]; +"11" -> "4" [arrowhead="open", arrowtail="none"]; +"11" -> "9" [arrowhead="open", arrowtail="none"]; +"11" -> "10" [arrowhead="open", arrowtail="none"]; +"12" -> "4" [arrowhead="open", arrowtail="none"]; +} diff --git a/packages.vcg b/packages.vcg new file mode 100644 index 0000000..cc33e20 --- /dev/null +++ b/packages.vcg @@ -0,0 +1,150 @@ +graph:{ + title:"packages" + layoutalgorithm:dfs + late_edge_labels:yes + port_sharing:no + manhattan_edges:yes + node: {title:"0" label:"\fbmsiempy\fn" + shape:box +} + node: {title:"1" label:"\fbmsiempy.__utils__\fn" + shape:box +} + node: {title:"2" label:"\fbmsiempy.__version__\fn" + shape:box +} + node: {title:"3" label:"\fbmsiempy.alarm\fn" + shape:box +} + node: {title:"4" label:"\fbmsiempy.core\fn" + shape:box +} + node: {title:"5" label:"\fbmsiempy.core.config\fn" + shape:box +} + node: {title:"6" label:"\fbmsiempy.core.query\fn" + shape:box +} + node: {title:"7" label:"\fbmsiempy.core.session\fn" + shape:box +} + node: {title:"8" label:"\fbmsiempy.core.types\fn" + shape:box +} + node: {title:"9" label:"\fbmsiempy.core.utils\fn" + shape:box +} + node: {title:"10" label:"\fbmsiempy.device\fn" + shape:box +} + node: {title:"11" label:"\fbmsiempy.event\fn" + shape:box +} + node: {title:"12" label:"\fbmsiempy.watchlist\fn" + shape:box +} + edge: {sourcename:"0" targetname:"3" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"0" targetname:"4" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"0" targetname:"10" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"0" targetname:"11" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"0" targetname:"12" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"1" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"3" targetname:"4" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"3" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"3" targetname:"11" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"4" targetname:"5" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"4" targetname:"6" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"4" targetname:"7" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"4" targetname:"8" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"5" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"6" targetname:"8" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"6" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"7" targetname:"5" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"7" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"8" targetname:"7" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"8" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"10" targetname:"4" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"10" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"11" targetname:"4" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"11" targetname:"9" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"11" targetname:"10" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} + edge: {sourcename:"12" targetname:"4" arrowstyle:solid + backarrowstyle:none + backarrowsize:0 +} +} diff --git a/val.txt b/val.txt new file mode 100644 index 0000000..b48c99e --- /dev/null +++ b/val.txt @@ -0,0 +1,4 @@ +::0 +1.1.1.1 +2.2.2.2 +127.0.0.1 From a22bd6788e91cb4d4cf0d6845f29248b49741724 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 15:10:03 -0400 Subject: [PATCH 07/14] deleted useless files --- classes.dot | 52 --------------- classes.vcg | 180 --------------------------------------------------- packages.dot | 43 ------------ packages.vcg | 150 ------------------------------------------ val.txt | 4 -- 5 files changed, 429 deletions(-) delete mode 100644 classes.dot delete mode 100644 classes.vcg delete mode 100644 packages.dot delete mode 100644 packages.vcg delete mode 100644 val.txt diff --git a/classes.dot b/classes.dot deleted file mode 100644 index 56904ed..0000000 --- a/classes.dot +++ /dev/null @@ -1,52 +0,0 @@ -digraph "classes" { -charset="utf-8" -rankdir=BT -"0" [label="{datetime.datetime|fold\lhour\lmicrosecond\lminute\lsecond\ltzinfo\l|astimezone(tz)\lcombine(cls, date, time, tzinfo)\lctime()\ldate()\ldst()\lfromisoformat(cls, date_string)\lfromtimestamp(cls, t, tz)\lisoformat(sep, timespec)\lnow(cls, tz)\lreplace(year, month, day, hour, minute, second, microsecond, tzinfo)\lstrptime(cls, date_string, format)\ltime()\ltimestamp()\ltimetuple()\ltimetz()\ltzname()\lutcfromtimestamp(cls, t)\lutcnow(cls)\lutcoffset()\lutctimetuple()\l}", shape="record"]; -"1" [label="{msiempy.alarm.Alarm|ALARM_DEFAULT_FIELDS : list\lALARM_EVENT_FILTER_FIELDS : list\lALARM_FIELDS_MAP : dict\lPOSSIBLE_ALARM_STATUS : list\l|acknowledge()\lceate_case()\ldata_from_id(id, use_priv)\ldelete()\lget_id()\lload_details()\lload_events(use_query, extra_fields, workers)\lmap_alarm_int_fields(alarm_details)\lrefresh()\lunacknowledge()\l}", shape="record"]; -"2" [label="{msiempy.alarm.AlarmManager|data\levent_filters\levent_filters : NoneType\lpage_size : int\lstatus_filter\lstatus_filter : str\l|add_event_filter(afilter)\ladd_filter(afilter)\lclear_filters()\lload_data(pages)\lqry_load_data(workers, alarms_details, events_details, use_query, extra_fields, page_number)\l}", shape="record"]; -"3" [label="{msiempy.core.config.NitroConfig|CONFIG_FILE_NAME : str\lCONF_DIR : str\lDEFAULT_CONF_DICT : dict\lhost\llogfile\lpasswd\lquiet\lssl_verify\ltimeout\luser\lverbose\l|find_ini_location()\liset(section, option, secure)\lwrite()\l}", shape="record"]; -"4" [label="{msiempy.core.query.FilteredQueryList|DEFAULT_TIME_RANGE : str\lPOSSIBLE_TIME_RANGE : list\lend_time\lend_time : NoneType\lfilters\lfilters : NoneType\lnot_completed : bool\lstart_time\lstart_time : NoneType\ltime_range\ltime_range : str, NoneType\l|add_filter(filter)\lclear_filters()\lload_data()\lqry_load_data()\l}", shape="record"]; -"5" [fontcolor="red", label="{msiempy.core.session.NitroError|\l|}", shape="record"]; -"6" [label="{msiempy.core.session.NitroSession|BASE_URL : str\lBASE_URL_PRIV : str\lPARAMS : dict\lapi_v : int\lconfig : NoneType\lesm_v : str\llogged_in : bool\llogin_info : dict\lsession\luser_tz_id : NoneType\l|api_request(method, data, http, callback, raw, secure, retry)\lbuildstamp()\lesm_request()\lget_internal_file(file_token)\llogin(retry)\llogout()\lrequest(request)\lversion()\l}", shape="record"]; -"7" [label="{msiempy.core.types.NitroDict|data : NoneType\ljson\ltext\l|data_from_id(id)\lget_id()\l}", shape="record"]; -"8" [label="{msiempy.core.types.NitroJSONEncoder|\l|default(obj)\l}", shape="record"]; -"9" [label="{msiempy.core.types.NitroList|json\ltext\l|get_text(format, fields, max_column_width, get_text_nest_attr)\lkeys()\lperform(func, data, func_args, confirm, asynch, workers, progress, message)\lrefresh()\lsearch()\l}", shape="record"]; -"10" [label="{msiempy.core.types.NitroObject|json\lnitro\ltext\l|refresh()\l}", shape="record"]; -"11" [label="{msiempy.device.DataSource|\l|data_from_id(id)\ldelete()\ldelete_client()\lget_id()\lload_details()\lrefresh()\l}", shape="record"]; -"12" [label="{msiempy.device.DevTree|data : NoneType\ldevicetree : list\l|add(attr)\ladd_client(attr)\lbuild_devtree()\lduplicate_datasource(ds_params)\lrecs()\lrefresh()\lsearch(term, zone_id)\lsearch_ds_group(field, term, zone_id)\l}", shape="record"]; -"13" [label="{msiempy.device.ESM|json\ltext\l|backup_status()\lbuildstamp()\lcallhome()\ldisks()\lget_alerts(ds_id, flows)\lram()\lrecs()\lrefresh()\lrules_history()\lrules_status()\lstatus()\ltime()\ltimezones()\ltype_id_to_venmod(type_id)\ltz_id_to_name(tz_id)\ltz_name_to_id(tz_name)\ltz_offsets()\lvenmod_to_type_id(vendor, model)\lversion()\l}", shape="record"]; -"14" [label="{msiempy.event.Event|DEFAULTS_EVENT_FIELDS : list\lFIELDS_TABLES : list\lREGULAR_EVENT_FIELDS : list\lSIEM_FIELDS_MAP_INTERNAL_NAME_TO_NICKNAME : dict\lSIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME : dict\ldata\l|clear_notes()\ldata_from_id(id, use_query, extra_fields)\lget_id()\lrefresh(use_query, extra_fields)\lset_note(note, no_date)\l}", shape="record"]; -"15" [label="{msiempy.event.EventManager|POSSBILE_ROW_ORDER : list\ldata\lfields : list\llimit : int\lnot_completed : bool\lorder\lorder : NoneType\lstart_time\l|clear_filters()\lget_possible_fields()\lget_possible_filters()\lload_data(workers, slots, delta, max_query_depth)\lqry_load_data(retry, wait_timeout_sec)\l}", shape="record"]; -"16" [label="{msiempy.event.FieldFilter|DOCUMENTED_FILTERS : list\lPOSSIBLE_OPERATORS : list\lPOSSIBLE_VALUE_TYPES : list\ldata : dict\lname\loperator\loperator : str\lvalues\lvalues\l|add_basic_value(value)\ladd_value(type)\l}", shape="record"]; -"17" [label="{msiempy.event.GroupFilter|data : dict\l|}", shape="record"]; -"18" [label="{msiempy.event.GroupedEvent|SIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME : dict\l|}", shape="record"]; -"19" [label="{msiempy.event.GroupedEventManager|data\lfield : NoneType\l|clear_filters()\lload_data()\lqry_load_data(num_rows, retry, wait_timeout_sec)\l}", shape="record"]; -"20" [label="{msiempy.event._QueryExecuteManager|\l|add_filter(afilter)\lget_field_nickname(field)\l}", shape="record"]; -"21" [label="{msiempy.event._QueryFilter|\l|}", shape="record"]; -"22" [label="{msiempy.watchlist.Watchlist|\l|add_values(values)\ldata_from_id(id)\lget_id()\lload_details()\lload_values()\lrefresh()\lremove_values(values)\l}", shape="record"]; -"23" [label="{msiempy.watchlist.WatchlistManager|data : NoneType\l|add(name, wl_type)\lget_watchlist_summary()\lget_wl_types()\lload_details()\lrefresh()\lremove(wl_id_list)\l}", shape="record"]; -"24" [label="{requests.sessions.Session|adapters : OrderedDict\lauth : NoneType\lcert : NoneType\lcookies : NoneType, RequestsCookieJar\lheaders : dict, CaseInsensitiveDict\lhooks\lmax_redirects : int\lparams : dict\lproxies : dict\lstream : bool\ltrust_env : bool\lverify : bool\l|close()\ldelete(url)\lget(url)\lget_adapter(url)\lhead(url)\lmerge_environment_settings(url, proxies, stream, verify, cert)\lmount(prefix, adapter)\loptions(url)\lpatch(url, data)\lpost(url, data, json)\lprepare_request(request)\lput(url, data)\lrequest(method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)\lsend(request)\l}", shape="record"]; -"1" -> "7" [arrowhead="empty", arrowtail="none"]; -"2" -> "4" [arrowhead="empty", arrowtail="none"]; -"4" -> "9" [arrowhead="empty", arrowtail="none"]; -"7" -> "10" [arrowhead="empty", arrowtail="none"]; -"9" -> "10" [arrowhead="empty", arrowtail="none"]; -"11" -> "7" [arrowhead="empty", arrowtail="none"]; -"12" -> "9" [arrowhead="empty", arrowtail="none"]; -"13" -> "10" [arrowhead="empty", arrowtail="none"]; -"14" -> "7" [arrowhead="empty", arrowtail="none"]; -"15" -> "20" [arrowhead="empty", arrowtail="none"]; -"16" -> "21" [arrowhead="empty", arrowtail="none"]; -"17" -> "21" [arrowhead="empty", arrowtail="none"]; -"18" -> "14" [arrowhead="empty", arrowtail="none"]; -"19" -> "20" [arrowhead="empty", arrowtail="none"]; -"20" -> "4" [arrowhead="empty", arrowtail="none"]; -"22" -> "7" [arrowhead="empty", arrowtail="none"]; -"23" -> "9" [arrowhead="empty", arrowtail="none"]; -"0" -> "4" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="start_time", style="solid"]; -"0" -> "4" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="end_time", style="solid"]; -"3" -> "6" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="config", style="solid"]; -"6" -> "10" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="nitro", style="solid"]; -"24" -> "6" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="session", style="solid"]; -"24" -> "6" [arrowhead="diamond", arrowtail="none", fontcolor="green", label="session", style="solid"]; -} diff --git a/classes.vcg b/classes.vcg deleted file mode 100644 index 24c0b6c..0000000 --- a/classes.vcg +++ /dev/null @@ -1,180 +0,0 @@ -graph:{ - title:"classes" - layoutalgorithm:dfs - late_edge_labels:yes - port_sharing:no - manhattan_edges:yes - node: {title:"0" label:"\fbdatetime.datetime\fn\n\f___________________\n\f08fold\n\f08hour\n\f08microsecond\n\f08minute\n\f08second\n\f08tzinfo\n\f___________________\n\f10astimezone()\n\f10combine()\n\f10ctime()\n\f10date()\n\f10dst()\n\f10fromisoformat()\n\f10fromtimestamp()\n\f10isoformat()\n\f10now()\n\f10replace()\n\f10strptime()\n\f10time()\n\f10timestamp()\n\f10timetuple()\n\f10timetz()\n\f10tzname()\n\f10utcfromtimestamp()\n\f10utcnow()\n\f10utcoffset()\n\f10utctimetuple()" - shape:box -} - node: {title:"1" label:"\fbmsiempy.alarm.Alarm\fn\n\f__________________________________\n\f08ALARM_DEFAULT_FIELDS : list\n\f08ALARM_EVENT_FILTER_FIELDS : list\n\f08ALARM_FIELDS_MAP : dict\n\f08POSSIBLE_ALARM_STATUS : list\n\f__________________________________\n\f10acknowledge()\n\f10ceate_case()\n\f10data_from_id()\n\f10delete()\n\f10get_id()\n\f10load_details()\n\f10load_events()\n\f10map_alarm_int_fields()\n\f10refresh()\n\f10unacknowledge()" - shape:box -} - node: {title:"2" label:"\fbmsiempy.alarm.AlarmManager\fn\n\f____________________________\n\f08data\n\f08event_filters\n\f08event_filters : NoneType\n\f08page_size : int\n\f08status_filter\n\f08status_filter : str\n\f____________________________\n\f10add_event_filter()\n\f10add_filter()\n\f10clear_filters()\n\f10load_data()\n\f10qry_load_data()" - shape:box -} - node: {title:"3" label:"\fbmsiempy.core.config.NitroConfig\fn\n\f_________________________________\n\f08CONFIG_FILE_NAME : str\n\f08CONF_DIR : str\n\f08DEFAULT_CONF_DICT : dict\n\f08host\n\f08logfile\n\f08passwd\n\f08quiet\n\f08ssl_verify\n\f08timeout\n\f08user\n\f08verbose\n\f_________________________________\n\f10find_ini_location()\n\f10iset()\n\f10write()" - shape:box -} - node: {title:"4" label:"\fbmsiempy.core.query.FilteredQueryList\fn\n\f______________________________________\n\f08DEFAULT_TIME_RANGE : str\n\f08POSSIBLE_TIME_RANGE : list\n\f08end_time\n\f08end_time : NoneType\n\f08filters\n\f08filters : NoneType\n\f08not_completed : bool\n\f08start_time\n\f08start_time : NoneType\n\f08time_range\n\f08time_range : str, NoneType\n\f______________________________________\n\f10add_filter()\n\f10clear_filters()\n\f10load_data()\n\f10qry_load_data()" - shape:box -} - node: {title:"5" label:"\fb\f09msiempy.core.session.NitroError\fn\n\f_________________________________" - shape:box -} - node: {title:"6" label:"\fbmsiempy.core.session.NitroSession\fn\n\f___________________________________\n\f08BASE_URL : str\n\f08BASE_URL_PRIV : str\n\f08PARAMS : dict\n\f08api_v : int\n\f08config : NoneType\n\f08esm_v : str\n\f08logged_in : bool\n\f08login_info : dict\n\f08session\n\f08user_tz_id : NoneType\n\f___________________________________\n\f10api_request()\n\f10buildstamp()\n\f10esm_request()\n\f10get_internal_file()\n\f10login()\n\f10logout()\n\f10request()\n\f10version()" - shape:box -} - node: {title:"7" label:"\fbmsiempy.core.types.NitroDict\fn\n\f______________________________\n\f08data : NoneType\n\f08json\n\f08text\n\f______________________________\n\f10data_from_id()\n\f10get_id()" - shape:box -} - node: {title:"8" label:"\fbmsiempy.core.types.NitroJSONEncoder\fn\n\f_____________________________________\n\f10default()" - shape:box -} - node: {title:"9" label:"\fbmsiempy.core.types.NitroList\fn\n\f______________________________\n\f08json\n\f08text\n\f______________________________\n\f10get_text()\n\f10keys()\n\f10perform()\n\f10refresh()\n\f10search()" - shape:box -} - node: {title:"10" label:"\fbmsiempy.core.types.NitroObject\fn\n\f________________________________\n\f08json\n\f08nitro\n\f08text\n\f________________________________\n\f10refresh()" - shape:box -} - node: {title:"11" label:"\fbmsiempy.device.DataSource\fn\n\f___________________________\n\f10data_from_id()\n\f10delete()\n\f10delete_client()\n\f10get_id()\n\f10load_details()\n\f10refresh()" - shape:box -} - node: {title:"12" label:"\fbmsiempy.device.DevTree\fn\n\f________________________\n\f08data : NoneType\n\f08devicetree : list\n\f________________________\n\f10add()\n\f10add_client()\n\f10build_devtree()\n\f10duplicate_datasource()\n\f10recs()\n\f10refresh()\n\f10search()\n\f10search_ds_group()" - shape:box -} - node: {title:"13" label:"\fbmsiempy.device.ESM\fn\n\f____________________\n\f08json\n\f08text\n\f____________________\n\f10backup_status()\n\f10buildstamp()\n\f10callhome()\n\f10disks()\n\f10get_alerts()\n\f10ram()\n\f10recs()\n\f10refresh()\n\f10rules_history()\n\f10rules_status()\n\f10status()\n\f10time()\n\f10timezones()\n\f10type_id_to_venmod()\n\f10tz_id_to_name()\n\f10tz_name_to_id()\n\f10tz_offsets()\n\f10venmod_to_type_id()\n\f10version()" - shape:box -} - node: {title:"14" label:"\fbmsiempy.event.Event\fn\n\f__________________________________________________\n\f08DEFAULTS_EVENT_FIELDS : list\n\f08FIELDS_TABLES : list\n\f08REGULAR_EVENT_FIELDS : list\n\f08SIEM_FIELDS_MAP_INTERNAL_NAME_TO_NICKNAME : dict\n\f08SIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME : dict\n\f08data\n\f__________________________________________________\n\f10clear_notes()\n\f10data_from_id()\n\f10get_id()\n\f10refresh()\n\f10set_note()" - shape:box -} - node: {title:"15" label:"\fbmsiempy.event.EventManager\fn\n\f____________________________\n\f08POSSBILE_ROW_ORDER : list\n\f08data\n\f08fields : list\n\f08limit : int\n\f08not_completed : bool\n\f08order\n\f08order : NoneType\n\f08start_time\n\f____________________________\n\f10clear_filters()\n\f10get_possible_fields()\n\f10get_possible_filters()\n\f10load_data()\n\f10qry_load_data()" - shape:box -} - node: {title:"16" label:"\fbmsiempy.event.FieldFilter\fn\n\f_____________________________\n\f08DOCUMENTED_FILTERS : list\n\f08POSSIBLE_OPERATORS : list\n\f08POSSIBLE_VALUE_TYPES : list\n\f08data : dict\n\f08name\n\f08operator\n\f08operator : str\n\f08values\n\f08values\n\f_____________________________\n\f10add_basic_value()\n\f10add_value()" - shape:box -} - node: {title:"17" label:"\fbmsiempy.event.GroupFilter\fn\n\f___________________________\n\f08data : dict\n\f___________________________" - shape:box -} - node: {title:"18" label:"\fbmsiempy.event.GroupedEvent\fn\n\f__________________________________________________\n\f08SIEM_FIELDS_MAP_NICKNAME_TO_INTERNAL_NAME : dict\n\f__________________________________________________" - shape:box -} - node: {title:"19" label:"\fbmsiempy.event.GroupedEventManager\fn\n\f___________________________________\n\f08data\n\f08field : NoneType\n\f___________________________________\n\f10clear_filters()\n\f10load_data()\n\f10qry_load_data()" - shape:box -} - node: {title:"20" label:"\fbmsiempy.event._QueryExecuteManager\fn\n\f____________________________________\n\f10add_filter()\n\f10get_field_nickname()" - shape:box -} - node: {title:"21" label:"\fbmsiempy.event._QueryFilter\fn\n\f____________________________" - shape:box -} - node: {title:"22" label:"\fbmsiempy.watchlist.Watchlist\fn\n\f_____________________________\n\f10add_values()\n\f10data_from_id()\n\f10get_id()\n\f10load_details()\n\f10load_values()\n\f10refresh()\n\f10remove_values()" - shape:box -} - node: {title:"23" label:"\fbmsiempy.watchlist.WatchlistManager\fn\n\f____________________________________\n\f08data : NoneType\n\f____________________________________\n\f10add()\n\f10get_watchlist_summary()\n\f10get_wl_types()\n\f10load_details()\n\f10refresh()\n\f10remove()" - shape:box -} - node: {title:"24" label:"\fbrequests.sessions.Session\fn\n\f_______________________________________\n\f08adapters : OrderedDict\n\f08auth : NoneType\n\f08cert : NoneType\n\f08cookies : RequestsCookieJar, NoneType\n\f08headers : dict, CaseInsensitiveDict\n\f08hooks\n\f08max_redirects : int\n\f08params : dict\n\f08proxies : dict\n\f08stream : bool\n\f08trust_env : bool\n\f08verify : bool\n\f_______________________________________\n\f10close()\n\f10delete()\n\f10get()\n\f10get_adapter()\n\f10head()\n\f10merge_environment_settings()\n\f10mount()\n\f10options()\n\f10patch()\n\f10post()\n\f10prepare_request()\n\f10put()\n\f10request()\n\f10send()" - shape:box -} - edge: {sourcename:"1" targetname:"7" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"2" targetname:"4" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"4" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"7" targetname:"10" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"9" targetname:"10" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"11" targetname:"7" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"12" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"13" targetname:"10" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"14" targetname:"7" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"15" targetname:"20" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"16" targetname:"21" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"17" targetname:"21" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"18" targetname:"14" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"19" targetname:"20" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"20" targetname:"4" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"22" targetname:"7" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"23" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:10 -} - edge: {sourcename:"0" targetname:"4" label:"start_time" - arrowstyle:solid - backarrowstyle:none - textcolor:green -} - edge: {sourcename:"0" targetname:"4" label:"end_time" - arrowstyle:solid - backarrowstyle:none - textcolor:green -} - edge: {sourcename:"3" targetname:"6" label:"config" - arrowstyle:solid - backarrowstyle:none - textcolor:green -} - edge: {sourcename:"6" targetname:"10" label:"nitro" - arrowstyle:solid - backarrowstyle:none - textcolor:green -} - edge: {sourcename:"24" targetname:"6" label:"session" - arrowstyle:solid - backarrowstyle:none - textcolor:green -} - edge: {sourcename:"24" targetname:"6" label:"session" - arrowstyle:solid - backarrowstyle:none - textcolor:green -} -} diff --git a/packages.dot b/packages.dot deleted file mode 100644 index 4cb0fa8..0000000 --- a/packages.dot +++ /dev/null @@ -1,43 +0,0 @@ -digraph "packages" { -charset="utf-8" -rankdir=BT -"0" [label="msiempy", shape="box"]; -"1" [label="msiempy.__utils__", shape="box"]; -"2" [label="msiempy.__version__", shape="box"]; -"3" [label="msiempy.alarm", shape="box"]; -"4" [label="msiempy.core", shape="box"]; -"5" [label="msiempy.core.config", shape="box"]; -"6" [label="msiempy.core.query", shape="box"]; -"7" [label="msiempy.core.session", shape="box"]; -"8" [label="msiempy.core.types", shape="box"]; -"9" [label="msiempy.core.utils", shape="box"]; -"10" [label="msiempy.device", shape="box"]; -"11" [label="msiempy.event", shape="box"]; -"12" [label="msiempy.watchlist", shape="box"]; -"0" -> "3" [arrowhead="open", arrowtail="none"]; -"0" -> "4" [arrowhead="open", arrowtail="none"]; -"0" -> "10" [arrowhead="open", arrowtail="none"]; -"0" -> "11" [arrowhead="open", arrowtail="none"]; -"0" -> "12" [arrowhead="open", arrowtail="none"]; -"1" -> "9" [arrowhead="open", arrowtail="none"]; -"3" -> "4" [arrowhead="open", arrowtail="none"]; -"3" -> "9" [arrowhead="open", arrowtail="none"]; -"3" -> "11" [arrowhead="open", arrowtail="none"]; -"4" -> "5" [arrowhead="open", arrowtail="none"]; -"4" -> "6" [arrowhead="open", arrowtail="none"]; -"4" -> "7" [arrowhead="open", arrowtail="none"]; -"4" -> "8" [arrowhead="open", arrowtail="none"]; -"5" -> "9" [arrowhead="open", arrowtail="none"]; -"6" -> "8" [arrowhead="open", arrowtail="none"]; -"6" -> "9" [arrowhead="open", arrowtail="none"]; -"7" -> "5" [arrowhead="open", arrowtail="none"]; -"7" -> "9" [arrowhead="open", arrowtail="none"]; -"8" -> "7" [arrowhead="open", arrowtail="none"]; -"8" -> "9" [arrowhead="open", arrowtail="none"]; -"10" -> "4" [arrowhead="open", arrowtail="none"]; -"10" -> "9" [arrowhead="open", arrowtail="none"]; -"11" -> "4" [arrowhead="open", arrowtail="none"]; -"11" -> "9" [arrowhead="open", arrowtail="none"]; -"11" -> "10" [arrowhead="open", arrowtail="none"]; -"12" -> "4" [arrowhead="open", arrowtail="none"]; -} diff --git a/packages.vcg b/packages.vcg deleted file mode 100644 index cc33e20..0000000 --- a/packages.vcg +++ /dev/null @@ -1,150 +0,0 @@ -graph:{ - title:"packages" - layoutalgorithm:dfs - late_edge_labels:yes - port_sharing:no - manhattan_edges:yes - node: {title:"0" label:"\fbmsiempy\fn" - shape:box -} - node: {title:"1" label:"\fbmsiempy.__utils__\fn" - shape:box -} - node: {title:"2" label:"\fbmsiempy.__version__\fn" - shape:box -} - node: {title:"3" label:"\fbmsiempy.alarm\fn" - shape:box -} - node: {title:"4" label:"\fbmsiempy.core\fn" - shape:box -} - node: {title:"5" label:"\fbmsiempy.core.config\fn" - shape:box -} - node: {title:"6" label:"\fbmsiempy.core.query\fn" - shape:box -} - node: {title:"7" label:"\fbmsiempy.core.session\fn" - shape:box -} - node: {title:"8" label:"\fbmsiempy.core.types\fn" - shape:box -} - node: {title:"9" label:"\fbmsiempy.core.utils\fn" - shape:box -} - node: {title:"10" label:"\fbmsiempy.device\fn" - shape:box -} - node: {title:"11" label:"\fbmsiempy.event\fn" - shape:box -} - node: {title:"12" label:"\fbmsiempy.watchlist\fn" - shape:box -} - edge: {sourcename:"0" targetname:"3" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"0" targetname:"4" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"0" targetname:"10" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"0" targetname:"11" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"0" targetname:"12" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"1" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"3" targetname:"4" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"3" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"3" targetname:"11" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"4" targetname:"5" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"4" targetname:"6" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"4" targetname:"7" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"4" targetname:"8" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"5" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"6" targetname:"8" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"6" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"7" targetname:"5" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"7" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"8" targetname:"7" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"8" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"10" targetname:"4" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"10" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"11" targetname:"4" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"11" targetname:"9" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"11" targetname:"10" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} - edge: {sourcename:"12" targetname:"4" arrowstyle:solid - backarrowstyle:none - backarrowsize:0 -} -} diff --git a/val.txt b/val.txt deleted file mode 100644 index b48c99e..0000000 --- a/val.txt +++ /dev/null @@ -1,4 +0,0 @@ -::0 -1.1.1.1 -2.2.2.2 -127.0.0.1 From bd62e3b8025ee320dbb2e9edfd3191739267ef92 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 15:15:36 -0400 Subject: [PATCH 08/14] revert --- msiempy/__init__.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/msiempy/__init__.py b/msiempy/__init__.py index 767cc05..7e773ba 100644 --- a/msiempy/__init__.py +++ b/msiempy/__init__.py @@ -1,6 +1,5 @@ # -*- coding: utf-8 -*- -__pdoc__= {} -__pdoc__['msiempy']=""" +""" Welcome to the **msiempy** library documentation. The pythonic way to deal with McAfee SIEM API. Head out to one of the sub-modules to see objects definitions or scroll down for general documentation. @@ -265,5 +264,4 @@ GroupedEvent, ) from .watchlist import Watchlist, WatchlistManager -from .__version__ import __version__ as VERSION -__pdoc__['msiempy.VERSION'] = "msiempy {}".format(VERSION) \ No newline at end of file +from .__version__ import __version__ as VERSION \ No newline at end of file From 112f2d262e645fff5438abfeac72a32907766f38 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 15:49:05 -0400 Subject: [PATCH 09/14] Chenge steps names --- .github/workflows/publish-test-docs-only.yml | 2 +- .github/workflows/publish.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-test-docs-only.yml b/.github/workflows/publish-test-docs-only.yml index a8401d3..6c8972c 100644 --- a/.github/workflows/publish-test-docs-only.yml +++ b/.github/workflows/publish-test-docs-only.yml @@ -48,7 +48,7 @@ jobs: mv ./packages.png ./mfesiem.github.io/docs/test/msiempy set -e - - name: Publish test documentation to https://mfesiem.github.io/docs/test/msiempy/index.html + - name: Publish documentation to mfesiem.github.io/docs/test/msiempy uses: peaceiris/actions-gh-pages@v3 with: deploy_key: ${{ secrets.MFESIEM_GITHUB_IO_PRIVATE_KEY }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 49df2b1..b5e86a3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -60,7 +60,7 @@ jobs: mv ./classes.png ./mfesiem.github.io/docs/msiempy mv ./packages.png ./mfesiem.github.io/docs/msiempy - - name: Publish documentation to https://mfesiem.github.io/docs/msiempy/index.html + - name: Publish documentation to mfesiem.github.io/docs/msiempy uses: peaceiris/actions-gh-pages@v3 with: deploy_key: ${{ secrets.MFESIEM_GITHUB_IO_PRIVATE_KEY }} From 3bbef5bb6718cbe159480cb92d04626eb39e94f4 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 16:38:03 -0400 Subject: [PATCH 10/14] Feature #83 Consider the AlarmManager events filter matching if any triggering event match all passed filters Implement a couple tests --- msiempy/alarm.py | 25 +- tests/local/test-alarms.json | 129890 ++++++++++++++++++++++++++++++++ tests/local/test_alarm.py | 31 + 3 files changed, 129935 insertions(+), 11 deletions(-) create mode 100644 tests/local/test-alarms.json create mode 100644 tests/local/test_alarm.py diff --git a/msiempy/alarm.py b/msiempy/alarm.py index d707d62..3572383 100644 --- a/msiempy/alarm.py +++ b/msiempy/alarm.py @@ -342,20 +342,23 @@ def _alarm_match(self, alarm): def _event_match(self, alarm): """ - Internal filter method that is going to return True if the passed alarm match all event related filters. + Internal filter method that is going to return True if any triggering event match all passed event filters. """ match = True - for event_filter in self._event_filters: - match = False - try: - value = str(alarm["events"][0][event_filter[0]]) - except KeyError: - break - for filter_value in event_filter[1]: - if regex_match(filter_value.lower(), value.lower()): - match = True + for event in alarm["events"]: + for event_filter in self._event_filters: + match = False + try: + value = str(event[event_filter[0]]) + except KeyError: break - if not match: + for filter_value in event_filter[1]: + if regex_match(filter_value.lower(), value.lower()): + match = True + break + if not match: + break + if match: break return match diff --git a/tests/local/test-alarms.json b/tests/local/test-alarms.json new file mode 100644 index 0000000..e0e922c --- /dev/null +++ b/tests/local/test-alarms.json @@ -0,0 +1,129890 @@ +[ + { + "id": { + "value": 17194 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 21:48:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16935", + "ruleMessage": "User Logon", + "sourceIp": "40.70.244.77", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:47:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:47:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.244.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16935, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16934", + "ruleMessage": "User Logon", + "sourceIp": "40.70.244.77", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:47:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:47:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.244.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16934, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16933", + "ruleMessage": "User Logon", + "sourceIp": "40.70.244.77", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:47:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:47:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.244.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16933, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16932", + "ruleMessage": "User Logon", + "sourceIp": "40.70.244.77", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:47:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:47:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.244.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16932, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17193 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 21:47:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16928", + "ruleMessage": "User Logon", + "sourceIp": "40.70.244.77", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:45:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:45:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.244.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16928, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 21:47:10 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17192 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 21:40:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16915", + "ruleMessage": "User Logon", + "sourceIp": "13.68.22.183", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:39:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:39:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.68.22.183", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16915, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16914", + "ruleMessage": "User Logon", + "sourceIp": "13.68.22.183", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:39:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:39:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.68.22.183", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16914, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16912", + "ruleMessage": "User Logon", + "sourceIp": "13.68.22.183", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:39:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:39:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.68.22.183", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16912, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16913", + "ruleMessage": "User Logon", + "sourceIp": "13.68.22.183", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:39:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:39:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.68.22.183", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16913, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17191 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 21:38:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16906", + "ruleMessage": "User Logon", + "sourceIp": "13.68.22.183", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:38:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:38:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.68.22.183", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16906, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 21:38:41 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16905", + "ruleMessage": "User Logon", + "sourceIp": "13.68.22.183", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:38:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:38:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.68.22.183", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16905, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 21:38:42 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16904", + "ruleMessage": "User Logon", + "sourceIp": "13.68.22.183", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:37:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:37:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.68.22.183", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16904, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17190 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 21:37:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16896", + "ruleMessage": "User Logon", + "sourceIp": "13.68.22.183", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 21:36:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 21:36:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.68.22.183", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16896, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17189 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:41:01", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16883", + "ruleMessage": "User Logon", + "sourceIp": "52.184.166.142", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:40:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:40:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.166.142", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16883, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16882", + "ruleMessage": "User Logon", + "sourceIp": "52.184.166.142", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:39:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:39:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.166.142", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16882, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17188 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:38:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16880", + "ruleMessage": "User Logon", + "sourceIp": "52.184.166.142", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:37:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:37:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.166.142", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16880, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17187 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:32:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16867", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:30:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:30:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16867, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16865", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:30:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:30:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16865, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17186 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:30:30", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16863", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:29:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:29:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16863, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16864", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:29:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:29:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16864, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17185 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:29:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16861", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:28:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:28:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16861, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:30:04 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17184 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:26:30", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16837", + "ruleMessage": "User Logon", + "sourceIp": "40.123.53.173", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.123.53.173", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16837, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16835", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16835, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16836", + "ruleMessage": "User Logon", + "sourceIp": "40.123.53.173", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.123.53.173", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16836, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16834", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16834, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16833", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16833, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16832", + "ruleMessage": "User Logon", + "sourceIp": "40.123.53.173", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.123.53.173", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16832, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16831", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16831, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16829", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16829, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16830", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:25:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:25:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16830, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17183 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:24:30", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16817", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:24:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:24:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16817, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:24:48 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16815", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:23:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:23:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16815, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:24:49 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16816", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:23:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:23:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16816, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17182 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:23:30", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16806", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.141", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:22:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:22:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.141", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16806, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:24:06 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16805", + "ruleMessage": "User Logon", + "sourceIp": "40.123.53.173", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:21:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:21:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.123.53.173", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16805, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:24:07 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17181 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:09:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16794", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16794, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16793", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16793, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16792", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16792, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16791", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16791, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16788", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16788, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16789", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16789, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16790", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16790, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16787", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16787, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16785", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16785, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16786", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:08:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:08:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16786, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17180 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:07:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16772", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:06:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:06:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16772, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:07:56 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16771", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:06:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:06:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16771, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:07:57 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16769", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:06:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:06:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16769, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16770", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:06:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:06:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16770, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16768", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:05:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:05:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16768, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16766", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:05:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:05:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16766, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16767", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:05:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:05:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16767, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16765", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:05:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:05:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16765, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17179 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:04:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16740", + "ruleMessage": "User Logon", + "sourceIp": "23.96.56.255", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.56.255", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16740, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:05:29 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16741", + "ruleMessage": "User Logon", + "sourceIp": "23.96.56.255", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.56.255", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16741, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:05:30 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16738", + "ruleMessage": "User Logon", + "sourceIp": "23.96.56.255", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.56.255", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16738, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16739", + "ruleMessage": "User Logon", + "sourceIp": "23.96.56.255", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.56.255", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16739, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16734", + "ruleMessage": "User Logon", + "sourceIp": "23.96.56.255", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.56.255", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16734, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16733", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16733, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16732", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16732, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16730", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16730, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16729", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16729, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16728", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:03:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:03:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16728, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17178 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:03:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16705", + "ruleMessage": "User Logon", + "sourceIp": "23.96.56.255", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:02:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:02:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.56.255", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16705, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16704", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:02:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:02:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16704, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16703", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:01:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:01:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16703, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16702", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:01:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:01:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16702, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16701", + "ruleMessage": "User Logon", + "sourceIp": "40.65.221.237", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:01:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:01:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.65.221.237", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16701, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16697", + "ruleMessage": "User Logon", + "sourceIp": "40.65.221.237", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:01:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:01:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.65.221.237", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16697, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16696", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:01:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:01:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16696, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16695", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:01:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:01:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16695, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16693", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:01:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:01:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16693, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16694", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 19:01:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 19:01:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16694, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17177 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 19:00:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16665", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16665, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:01:34 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16664", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16664, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:01:37 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16663", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16663, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16662", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16662, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16660", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16660, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16661", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16661, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16659", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16659, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16657", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16657, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16658", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16658, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16656", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:59:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:59:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16656, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17176 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:58:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16640", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:58:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:58:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16640, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:00:10 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16641", + "ruleMessage": "User Logon", + "sourceIp": "40.70.23.89", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:58:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:58:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.23.89", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16641, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 19:00:13 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16638", + "ruleMessage": "User Logon", + "sourceIp": "40.65.221.237", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:57:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:57:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.65.221.237", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16638, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17175 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:57:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16633", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:56:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:56:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16633, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16632", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:56:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:56:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16632, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16630", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:56:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:56:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16630, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16629", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:56:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:56:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16629, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16628", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:56:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:56:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16628, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17174 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:55:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16621", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:55:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:55:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16621, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16620", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:55:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:55:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16620, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16619", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:55:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:55:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16619, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16618", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:55:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:55:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16618, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16617", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:55:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:55:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16617, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16616", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:54:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:54:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16616, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17173 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:54:28", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16611", + "ruleMessage": "User Logon", + "sourceIp": "23.96.22.54", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:53:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:53:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "23.96.22.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16611, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:55:01 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17172 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:49:57", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16591", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:48:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:48:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16591, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17171 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:48:27", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16581", + "ruleMessage": "User Logon", + "sourceIp": "52.149.134.166", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:47:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:47:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.149.134.166", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16581, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:48:23 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16579", + "ruleMessage": "User Logon", + "sourceIp": "52.149.134.166", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:47:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:47:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.149.134.166", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16579, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:48:24 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16578", + "ruleMessage": "User Logon", + "sourceIp": "52.149.134.166", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:47:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:47:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.149.134.166", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16578, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17170 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:47:27", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16577", + "ruleMessage": "User Logon", + "sourceIp": "52.149.134.166", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:46:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:46:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.149.134.166", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16577, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:47:48 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16576", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:46:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:46:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16576, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:47:49 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17169 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:33:27", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16562", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:32:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:32:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16562, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16561", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:32:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:32:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16561, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16560", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:32:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:32:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16560, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17168 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:31:57", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16546", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.97", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:31:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:31:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.97", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16546, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:32:12 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16545", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.97", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:30:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:30:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.97", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16545, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:32:13 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16544", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:30:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:30:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16544, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17167 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:29:56", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16542", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.97", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:28:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:28:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.97", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16542, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:30:08 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17166 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:19:26", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16523", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:17:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:17:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16523, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16522", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:16:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:16:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16522, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16520", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:16:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:16:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16520, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16521", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:16:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:16:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16521, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17165 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:16:26", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16500", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:15:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:15:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16500, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16501", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:15:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:15:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16501, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16502", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:15:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:15:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16502, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16499", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:15:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:15:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16499, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16498", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:14:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:14:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16498, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16497", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:14:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:14:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16497, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16496", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:14:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:14:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16496, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16495", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:14:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:14:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16495, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16494", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:14:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:14:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16494, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16493", + "ruleMessage": "User Logon", + "sourceIp": "52.177.123.36", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:14:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:14:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.123.36", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16493, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17164 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:12:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16459", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16459, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16457", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16457, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16458", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16458, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16453", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16453, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16454", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16454, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16452", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16452, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16451", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16451, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16449", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16449, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16450", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:11:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:11:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16450, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17163 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:11:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16424", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16424, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16422", + "ruleMessage": "User Logon", + "sourceIp": "40.87.108.218", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.87.108.218", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16422, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16423", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16423, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16420", + "ruleMessage": "User Logon", + "sourceIp": "40.87.108.218", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.87.108.218", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16420, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16421", + "ruleMessage": "User Logon", + "sourceIp": "40.87.108.218", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.87.108.218", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16421, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16418", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16418, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16419", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16419, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16416", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16416, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16415", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:09:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:09:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16415, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17162 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:09:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16396", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:08:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:08:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16396, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:09:07 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16394", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:08:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:08:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16394, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:09:10 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16395", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:08:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:08:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16395, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16393", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:08:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:08:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16393, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16392", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:08:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:08:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16392, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16391", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:08:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:08:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16391, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16389", + "ruleMessage": "User Logon", + "sourceIp": "40.87.108.218", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:07:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:07:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.87.108.218", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16389, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16390", + "ruleMessage": "User Logon", + "sourceIp": "40.87.108.218", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:07:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:07:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.87.108.218", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16390, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16388", + "ruleMessage": "User Logon", + "sourceIp": "40.87.108.218", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:07:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:07:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.87.108.218", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16388, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16387", + "ruleMessage": "User Logon", + "sourceIp": "40.87.108.218", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:07:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:07:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.87.108.218", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16387, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17161 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:06:54", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16359", + "ruleMessage": "User Logon", + "sourceIp": "52.146.46.75", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:05:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:05:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.146.46.75", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16359, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:08:51 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16358", + "ruleMessage": "User Logon", + "sourceIp": "52.188.67.152", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:05:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:05:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.188.67.152", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16358, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:08:55 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16357", + "ruleMessage": "User Logon", + "sourceIp": "40.87.108.218", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:05:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:05:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.87.108.218", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16357, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16356", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:05:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:05:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16356, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16354", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:05:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:05:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16354, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16355", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:05:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:05:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16355, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17160 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 18:01:24", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16346", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.217", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:00:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:00:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.217", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16346, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16345", + "ruleMessage": "User Logon", + "sourceIp": "13.77.69.176", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 18:00:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 18:00:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.77.69.176", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16345, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17159 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 17:59:54", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16343", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.217", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:59:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:59:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.217", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16343, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 18:00:21 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17158 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 17:56:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16339", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:55:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:55:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16339, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17157 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 17:53:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16337", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:52:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:52:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16337, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17156 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 17:48:23", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16335", + "ruleMessage": "User Logon", + "sourceIp": "40.84.22.4", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:47:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:47:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.84.22.4", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16335, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17155 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 17:46:23", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16332", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:45:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:45:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16332, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16331", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:45:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:45:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16331, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16329", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:45:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:45:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16329, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16328", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:45:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:45:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16328, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16327", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:45:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:45:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16327, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16325", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:45:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:45:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16325, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16326", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:45:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:45:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16326, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17154 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 17:44:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16318", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:44:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:44:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16318, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16315", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:43:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:43:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16315, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16316", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:43:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:43:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16316, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16313", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:43:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:43:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16313, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16314", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:43:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:43:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16314, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17153 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 17:43:23", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16308", + "ruleMessage": "User Logon", + "sourceIp": "104.211.60.222", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 17:42:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 17:42:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.211.60.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16308, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-03 17:44:11 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17152 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 16:30:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16306", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 16:29:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 16:29:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16306, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17151 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 16:26:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16304", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 16:25:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 16:25:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16304, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17150 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 15:37:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16299", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:37:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:37:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16299, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16298", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:36:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:36:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16298, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16297", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:36:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:36:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16297, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16296", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:36:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:36:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16296, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16295", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:36:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:36:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16295, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16294", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:36:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:36:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16294, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16293", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:36:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:36:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16293, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16292", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:36:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:36:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16292, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16291", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:36:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:36:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16291, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17149 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 15:35:18", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16287", + "ruleMessage": "User Logon", + "sourceIp": "137.116.33.174", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:34:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:34:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "137.116.33.174", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16287, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16285", + "ruleMessage": "User Logon", + "sourceIp": "52.167.156.207", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:34:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:34:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.156.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16285, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16286", + "ruleMessage": "User Logon", + "sourceIp": "137.116.33.174", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:34:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:34:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "137.116.33.174", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16286, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16284", + "ruleMessage": "User Logon", + "sourceIp": "52.167.156.207", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:34:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:34:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.156.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16284, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16283", + "ruleMessage": "User Logon", + "sourceIp": "52.186.150.139", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:34:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:34:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.186.150.139", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16283, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16282", + "ruleMessage": "User Logon", + "sourceIp": "52.229.14.108", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:34:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:34:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.229.14.108", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16282, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16281", + "ruleMessage": "User Logon", + "sourceIp": "52.186.150.139", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:34:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:34:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.186.150.139", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16281, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16280", + "ruleMessage": "User Logon", + "sourceIp": "52.229.14.108", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:34:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:34:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.229.14.108", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16280, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16279", + "ruleMessage": "User Logon", + "sourceIp": "52.250.70.92", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:33:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:33:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.70.92", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16279, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16278", + "ruleMessage": "User Logon", + "sourceIp": "52.250.70.92", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:33:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:33:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.70.92", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16278, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17148 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 15:24:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16276", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:23:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:23:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16276, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17147 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 15:19:47", + "acknowledgedDate": "10/03/2020 15:24:11", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16274", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 15:19:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 15:19:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16274, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17146 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/03/2020 13:35:43", + "acknowledgedDate": "10/03/2020 15:24:11", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16272", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 13:35:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 13:35:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16272, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16271", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/03/2020 13:34:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/03/2020 13:34:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16271, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17145 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/02/2020 16:13:19", + "acknowledgedDate": "10/03/2020 15:24:11", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16266", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/02/2020 16:12:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/02/2020 16:12:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16266, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16265", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/02/2020 16:12:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/02/2020 16:12:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16265, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16263", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/02/2020 16:12:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/02/2020 16:12:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16263, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17144 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/02/2020 16:11:49", + "acknowledgedDate": "10/03/2020 15:24:11", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16257", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/02/2020 16:11:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/02/2020 16:11:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16257, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16256", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/02/2020 16:11:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/02/2020 16:11:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16256, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16255", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/02/2020 16:10:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/02/2020 16:10:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16255, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16254", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/02/2020 16:10:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/02/2020 16:10:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16254, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17143 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/02/2020 16:10:19", + "acknowledgedDate": "10/03/2020 15:24:11", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16246", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/02/2020 16:09:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/02/2020 16:09:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16246, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-02 12:10:50 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17142 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 17:36:50", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16244", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 17:35:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 17:35:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16244, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16243", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 17:35:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 17:35:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16243, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17141 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 17:34:50", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16241", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 17:33:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 17:33:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16241, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17140 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 17:32:20", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16236", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 17:31:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 17:31:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16236, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16235", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 17:31:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 17:31:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16235, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17139 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 16:58:18", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16233", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 16:57:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 16:57:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16233, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17138 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 15:47:15", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16229", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 15:46:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 15:46:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16229, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16228", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 15:46:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 15:46:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16228, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17137 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 15:46:15", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16227", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 15:44:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 15:44:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16227, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17136 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 13:34:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16222", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:33:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:33:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16222, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16221", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:33:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:33:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16221, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16219", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:33:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:33:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16219, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16218", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:33:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:33:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16218, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16217", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:33:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:33:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16217, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16216", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:32:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:32:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16216, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17135 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 13:32:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16211", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:31:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:31:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16211, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16210", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:31:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:31:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16210, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16209", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:31:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:31:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16209, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16208", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:31:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:31:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16208, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16207", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:31:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:31:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16207, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16205", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:31:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:31:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16205, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16206", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:31:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:31:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16206, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16204", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:30:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:30:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16204, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16203", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:30:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:30:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16203, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16202", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:30:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:30:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16202, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17134 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 13:29:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16196", + "ruleMessage": "User Logon", + "sourceIp": "40.70.211.194", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 13:28:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 13:28:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.211.194", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16196, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17133 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 01:33:09", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16194", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 01:31:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 01:31:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16194, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17132 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 01:30:09", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16192", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 01:29:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 01:29:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16192, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16191", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 01:29:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 01:29:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16191, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16190", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 01:28:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 01:28:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16190, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16189", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 01:28:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 01:28:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16189, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17131 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 01:28:09", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16187", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 01:27:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 01:27:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16187, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16186", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 01:27:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 01:27:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16186, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16185", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 01:27:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 01:27:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16185, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17130 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:55:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16174", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:54:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:54:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16174, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16172", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:54:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:54:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16172, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17129 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:54:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16171", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:52:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:52:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16171, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-01 00:54:13 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17128 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:47:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16158", + "ruleMessage": "User Logon", + "sourceIp": "199.19.85.34", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:46:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:46:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.19.85.34", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16158, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16157", + "ruleMessage": "User Logon", + "sourceIp": "199.19.85.34", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:46:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:46:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.19.85.34", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16157, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16156", + "ruleMessage": "User Logon", + "sourceIp": "199.19.85.34", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:46:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:46:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.19.85.34", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16156, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16155", + "ruleMessage": "User Logon", + "sourceIp": "199.19.85.34", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:46:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:46:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.19.85.34", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16155, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16154", + "ruleMessage": "User Logon", + "sourceIp": "199.19.85.34", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:46:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:46:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.19.85.34", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16154, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17127 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:45:07", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16150", + "ruleMessage": "User Logon", + "sourceIp": "199.19.85.34", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:44:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:44:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.19.85.34", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16150, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17126 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:42:37", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16137", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:42:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:42:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16137, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16136", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:41:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:41:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16136, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16135", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:41:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:41:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16135, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16133", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:41:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:41:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16133, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16134", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:41:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:41:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16134, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16132", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:41:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:41:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16132, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16130", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:40:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:40:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16130, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17125 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:41:07", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16129", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:39:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:39:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16129, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-01 00:41:32 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17124 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:35:37", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16116", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:34:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:34:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16116, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16117", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:34:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:34:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16117, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16115", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:34:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:34:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16115, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16114", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:34:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:34:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16114, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16111", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:34:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:34:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16111, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16112", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:34:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:34:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16112, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16113", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:34:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:34:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16113, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17123 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:34:07", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16108", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:33:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:33:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16108, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16109", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:33:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:33:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16109, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16107", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:32:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:32:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16107, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16106", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:32:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:32:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16106, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16104", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:32:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:32:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16104, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17122 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:32:37", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16103", + "ruleMessage": "User Logon", + "sourceIp": "52.177.198.70", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:31:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:31:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.177.198.70", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16103, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-01 00:33:40 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16099", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:30:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:30:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16099, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16098", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:30:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:30:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16098, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16096", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:30:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:30:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16096, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16095", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:30:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:30:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16095, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16094", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:30:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:30:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16094, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17121 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:30:07", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16087", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16087, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16088", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16088, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16085", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16085, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16086", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16086, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16084", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16084, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16083", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16083, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16082", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16082, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16080", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16080, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16081", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:29:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:29:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16081, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17120 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:28:37", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16075", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:27:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:27:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16075, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-01 00:28:49 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16074", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:27:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:27:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16074, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-01 00:28:50 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16073", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:27:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:27:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16073, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16072", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:27:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:27:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16072, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16071", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:27:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:27:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16071, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16070", + "ruleMessage": "User Logon", + "sourceIp": "52.179.186.207", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:26:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:26:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.186.207", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16070, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17119 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:25:37", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16058", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:25:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:25:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16058, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16057", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:25:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:25:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16057, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16056", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:25:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:25:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16056, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16055", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:24:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:24:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16055, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16053", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:24:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:24:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16053, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16054", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:24:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:24:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16054, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16052", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:24:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:24:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16052, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16050", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:24:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:24:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16050, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16051", + "ruleMessage": "User Logon", + "sourceIp": "52.254.75.74", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:24:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:24:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.75.74", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16051, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17118 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:23:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16044", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:22:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:22:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16044, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16043", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:22:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:22:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16043, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16041", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:22:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:22:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16041, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16040", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:22:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:22:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16040, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16039", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:22:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:22:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16039, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16038", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:21:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:21:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16038, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17117 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:20:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16033", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:20:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:20:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16033, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16034", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:20:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:20:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16034, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16032", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:20:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:20:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16032, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16031", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:19:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:19:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16031, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17116 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:19:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16028", + "ruleMessage": "User Logon", + "sourceIp": "52.167.213.133", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:18:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:18:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.213.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16028, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-01 00:19:53 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17115 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:18:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16023", + "ruleMessage": "User Logon", + "sourceIp": "52.249.184.103", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:16:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:16:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.249.184.103", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16023, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16022", + "ruleMessage": "User Logon", + "sourceIp": "52.249.184.103", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:16:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:16:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.249.184.103", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16022, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16020", + "ruleMessage": "User Logon", + "sourceIp": "52.249.184.103", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:16:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:16:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.249.184.103", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16020, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17114 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:17:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16017", + "ruleMessage": "User Logon", + "sourceIp": "52.249.184.103", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:15:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:15:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.249.184.103", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16017, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17113 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:14:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16013", + "ruleMessage": "User Logon", + "sourceIp": "52.249.184.103", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:14:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:14:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.249.184.103", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16013, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17112 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:13:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16008", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:12:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:12:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16008, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16007", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:12:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:12:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16007, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16005", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:12:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:12:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16005, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16004", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:12:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:12:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16004, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16003", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:12:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:12:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16003, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16001", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:11:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:11:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16001, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|16002", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:11:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:11:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 16002, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17111 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:10:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15989", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:10:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:10:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15989, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15988", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:10:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:10:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15988, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15987", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:10:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:10:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15987, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17110 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "10/01/2020 00:09:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15978", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:08:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:08:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15978, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-01 00:10:03 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15976", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:08:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:08:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15976, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-10-01 00:10:03 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15977", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:08:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:08:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15977, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15975", + "ruleMessage": "User Logon", + "sourceIp": "52.147.169.37", + "destIp": "22.22.24.6", + "lastTime": "10/01/2020 00:07:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "10/01/2020 00:07:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.169.37", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15975, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17109 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 20:08:26", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15970", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:07:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:07:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15970, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15969", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:07:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:07:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15969, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15967", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:07:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:07:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15967, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15966", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:07:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:07:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15966, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15965", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:07:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:07:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15965, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15963", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:07:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:07:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15963, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15964", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:07:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:07:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15964, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15959", + "ruleMessage": "User Logon", + "sourceIp": "52.251.57.185", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:06:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:06:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.57.185", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15959, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15958", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:06:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:06:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15958, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15957", + "ruleMessage": "User Logon", + "sourceIp": "52.251.57.185", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:06:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:06:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.57.185", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15957, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17108 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 20:05:56", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15947", + "ruleMessage": "User Logon", + "sourceIp": "52.251.57.185", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:05:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:05:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.57.185", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15947, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-30 20:06:38 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17107 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 20:04:56", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15943", + "ruleMessage": "User Logon", + "sourceIp": "52.251.57.185", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:04:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:04:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.57.185", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15943, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-30 20:05:13 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15944", + "ruleMessage": "User Logon", + "sourceIp": "52.251.57.185", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:04:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:04:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.57.185", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15944, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-30 20:05:14 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15942", + "ruleMessage": "User Logon", + "sourceIp": "40.75.9.99", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:03:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:03:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.9.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15942, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15941", + "ruleMessage": "User Logon", + "sourceIp": "52.251.57.185", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 20:03:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 20:03:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.57.185", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15941, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17106 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 19:42:25", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15939", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:41:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:41:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15939, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15937", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:40:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:40:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15937, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15938", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:40:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:40:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15938, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15936", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:40:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:40:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15936, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15935", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:40:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:40:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15935, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17105 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 19:38:55", + "acknowledgedDate": "10/03/2020 15:24:12", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15930", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:37:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:37:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15930, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15929", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:37:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:37:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15929, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15928", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:37:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:37:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15928, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15927", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:37:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:37:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15927, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15926", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:37:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:37:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15926, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15925", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 19:37:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 19:37:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15925, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17104 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:55:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15923", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:55:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:55:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15923, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17103 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:27:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15919", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:26:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:26:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15919, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15918", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:26:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:26:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15918, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15917", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:26:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:26:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15917, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15916", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:26:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:26:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15916, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17102 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:25:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15912", + "ruleMessage": "User Logon", + "sourceIp": "20.186.44.51", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:24:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:24:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.44.51", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15912, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15911", + "ruleMessage": "User Logon", + "sourceIp": "20.186.44.51", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:24:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:24:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.44.51", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15911, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15910", + "ruleMessage": "User Logon", + "sourceIp": "40.88.38.17", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:24:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:24:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.88.38.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15910, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15909", + "ruleMessage": "User Logon", + "sourceIp": "40.88.38.17", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:24:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:24:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.88.38.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15909, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17101 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:12:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15907", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:12:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:12:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15907, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17100 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:11:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15904", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:10:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:10:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15904, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17099 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:10:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15903", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:09:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:09:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15903, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17098 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:07:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15899", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:06:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:06:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15899, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17097 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:05:18", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15894", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:04:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:04:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15894, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17096 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 17:02:18", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15889", + "ruleMessage": "User Logon", + "sourceIp": "52.247.118.64", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:01:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:01:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.118.64", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15889, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15888", + "ruleMessage": "User Logon", + "sourceIp": "52.247.118.64", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:01:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:01:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.118.64", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15888, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15886", + "ruleMessage": "User Logon", + "sourceIp": "52.247.118.64", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:01:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:01:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.118.64", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15886, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15885", + "ruleMessage": "User Logon", + "sourceIp": "52.247.118.64", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:01:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:01:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.118.64", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15885, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15884", + "ruleMessage": "User Logon", + "sourceIp": "52.247.118.64", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 17:01:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 17:01:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.118.64", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15884, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17095 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 16:59:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15881", + "ruleMessage": "User Logon", + "sourceIp": "52.247.118.64", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 16:59:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 16:59:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.118.64", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15881, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-30 17:00:26 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17094 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 16:57:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15876", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 16:56:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 16:56:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15876, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15875", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 16:56:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 16:56:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15875, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17093 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 00:19:05", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15873", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 00:18:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 00:18:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15873, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17092 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 00:15:05", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15871", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 00:14:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 00:14:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15871, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17091 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 00:14:05", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15867", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 00:13:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 00:13:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15867, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17090 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 00:12:05", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15863", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 00:11:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 00:11:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15863, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17089 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 00:07:05", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15861", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 00:05:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 00:05:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15861, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17088 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 00:01:34", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15857", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/30/2020 00:01:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/30/2020 00:01:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15857, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17087 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/30/2020 00:00:34", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15855", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 23:59:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 23:59:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15855, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15854", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 23:59:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 23:59:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15854, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17086 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 23:58:34", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15852", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 23:57:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 23:57:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15852, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17085 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 23:53:34", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15850", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 23:52:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 23:52:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15850, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17084 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 23:49:34", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15848", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 23:48:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 23:48:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15848, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17083 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 23:48:34", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15846", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 23:47:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 23:47:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15846, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15845", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 23:46:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 23:46:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15845, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17082 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 22:32:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15830", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15830, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15829", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15829, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15828", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15828, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15827", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15827, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15826", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15826, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15825", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15825, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15824", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15824, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15822", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15822, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15823", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:31:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:31:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15823, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15821", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:30:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:30:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15821, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17081 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 22:29:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15814", + "ruleMessage": "User Logon", + "sourceIp": "104.208.243.44", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 22:29:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 22:29:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.208.243.44", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15814, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-29 22:30:47 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17080 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 21:41:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15812", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:40:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:40:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15812, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15811", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:40:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:40:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15811, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15810", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:40:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:40:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15810, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15809", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:39:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:39:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15809, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17079 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 21:38:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15804", + "ruleMessage": "User Logon", + "sourceIp": "104.46.109.222", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:38:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:38:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.46.109.222", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15804, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17078 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 21:37:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15798", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:37:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:37:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15798, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15797", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:37:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:37:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15797, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17077 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 21:36:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15793", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:36:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:36:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15793, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15792", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.23", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:36:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:36:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.23", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15792, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17076 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 21:35:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15788", + "ruleMessage": "User Logon", + "sourceIp": "104.46.124.248", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:35:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:35:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.46.124.248", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15788, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15787", + "ruleMessage": "User Logon", + "sourceIp": "104.46.124.248", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:34:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:34:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.46.124.248", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15787, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15786", + "ruleMessage": "User Logon", + "sourceIp": "40.75.1.143", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:34:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:34:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.1.143", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15786, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15785", + "ruleMessage": "User Logon", + "sourceIp": "40.75.1.143", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:34:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:34:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.1.143", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15785, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17075 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 21:28:28", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15781", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:27:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:27:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15781, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15780", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:27:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:27:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15780, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15779", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:26:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:26:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15779, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15778", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:26:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:26:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15778, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17074 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 21:23:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15776", + "ruleMessage": "User Logon", + "sourceIp": "40.79.25.84", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:23:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:23:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.79.25.84", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15776, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15775", + "ruleMessage": "User Logon", + "sourceIp": "40.79.25.84", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:23:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:23:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.79.25.84", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15775, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15774", + "ruleMessage": "User Logon", + "sourceIp": "40.75.12.140", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:23:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:23:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.12.140", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15774, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15773", + "ruleMessage": "User Logon", + "sourceIp": "40.75.12.140", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:23:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:23:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.12.140", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15773, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15772", + "ruleMessage": "User Logon", + "sourceIp": "40.123.37.43", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:22:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:22:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.123.37.43", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15772, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15771", + "ruleMessage": "User Logon", + "sourceIp": "40.123.37.43", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:22:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:22:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.123.37.43", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15771, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17073 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 21:03:57", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15767", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:03:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:03:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15767, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15766", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 21:02:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 21:02:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15766, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17072 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 20:18:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15763", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 20:17:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 20:17:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15763, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17071 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 20:16:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15761", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 20:15:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 20:15:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15761, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17070 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 14:15:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15759", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 14:14:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 14:14:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15759, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15758", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 14:14:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 14:14:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15758, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17069 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 14:13:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15756", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 14:12:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 14:12:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15756, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15755", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 14:12:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 14:12:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15755, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15754", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 14:11:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 14:11:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15754, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17068 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 14:08:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15752", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 14:06:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 14:06:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15752, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17067 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 14:05:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15750", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 14:05:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 14:05:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15750, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17066 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 14:04:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15746", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 14:04:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 14:04:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15746, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17065 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 13:19:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15743", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 13:18:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 13:18:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15743, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17064 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 13:13:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15740", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 13:12:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 13:12:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15740, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17063 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 13:09:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15737", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 13:08:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 13:08:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15737, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17062 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 13:07:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15735", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 13:06:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 13:06:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15735, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17061 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 13:06:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15733", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 13:05:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 13:05:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15733, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17060 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 13:04:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15731", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 13:02:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 13:02:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15731, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17059 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 12:58:07", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15728", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 12:57:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 12:57:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15728, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15727", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 12:57:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 12:57:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15727, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15726", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 12:56:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 12:56:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15726, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17058 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 04:21:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15724", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 04:20:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 04:20:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15724, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15723", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 04:20:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 04:20:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15723, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17057 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 04:19:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15721", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 04:18:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 04:18:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15721, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17056 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 04:01:43", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15719", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 04:00:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 04:00:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15719, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15718", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 04:00:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 04:00:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15718, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17055 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:59:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15716", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:58:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:58:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15716, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15715", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:58:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:58:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15715, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17054 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:56:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15713", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:55:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:55:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15713, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15712", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:55:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:55:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15712, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17053 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:47:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15709", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:46:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:46:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15709, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17052 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:45:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15707", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:44:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:44:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15707, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17051 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:30:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15705", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:29:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:29:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15705, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17050 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:21:41", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15703", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:20:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:20:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15703, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17049 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:19:41", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15701", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:18:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:18:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15701, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15700", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:18:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:18:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15700, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17048 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:17:41", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15697", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:17:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:17:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15697, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15696", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:16:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:16:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15696, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17047 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:12:41", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15694", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:11:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:11:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15694, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15693", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:11:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:11:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15693, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17046 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:08:41", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15691", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:07:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:07:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15691, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15690", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:07:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:07:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15690, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17045 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:03:11", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15688", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 03:01:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 03:01:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15688, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17044 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 03:00:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15686", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:59:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:59:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15686, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15685", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:59:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:59:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15685, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15684", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:59:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:59:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15684, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15683", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:59:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:59:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15683, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15681", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:59:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:59:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15681, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15682", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:59:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:59:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15682, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15680", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:59:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:59:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15680, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17043 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 02:56:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15677", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:55:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:55:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15677, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15676", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 02:55:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 02:55:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15676, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17042 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 01:05:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15674", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 01:04:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 01:04:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15674, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17041 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/29/2020 01:02:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15669", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 01:01:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 01:01:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15669, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15668", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 01:01:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 01:01:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15668, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15667", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/29/2020 01:01:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/29/2020 01:01:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15667, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17040 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/28/2020 21:17:27", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15665", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 21:16:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 21:16:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15665, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15664", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 21:16:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 21:16:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15664, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15663", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 21:16:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 21:16:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15663, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15662", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 21:15:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 21:15:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15662, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17039 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/28/2020 20:44:56", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15660", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 20:43:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 20:43:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15660, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17038 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/28/2020 18:31:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15657", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 18:31:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 18:31:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15657, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15656", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 18:31:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 18:31:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15656, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17037 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/28/2020 18:17:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15653", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 18:17:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 18:17:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15653, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17036 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/28/2020 18:12:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15651", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 18:11:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 18:11:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15651, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17035 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/28/2020 18:08:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15648", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/28/2020 18:07:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/28/2020 18:07:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15648, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17034 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/27/2020 22:52:01", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15645", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/27/2020 22:51:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/27/2020 22:51:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15645, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17033 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/27/2020 22:51:01", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15644", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/27/2020 22:50:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/27/2020 22:50:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15644, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17032 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 16:04:15", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15638", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 16:03:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 16:03:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15638, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17031 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 16:01:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15636", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:59:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:59:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15636, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17030 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:59:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15633", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:57:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:57:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15633, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17029 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:57:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15632", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:56:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:56:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15632, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17028 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:55:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15627", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:54:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:54:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15627, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15626", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:54:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:54:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15626, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17027 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:50:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15613", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:50:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:50:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15613, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15612", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:50:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:50:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15612, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15611", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:49:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:49:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15611, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17026 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:49:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15606", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15606, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-26 11:49:25 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15605", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15605, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-26 11:49:26 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15604", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15604, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15603", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15603, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15602", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15602, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15601", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15601, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15600", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15600, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15599", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15599, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15598", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:48:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:48:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15598, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17025 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:48:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15595", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:47:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:47:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15595, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15594", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:47:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:47:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15594, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15593", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:47:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:47:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15593, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17024 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:46:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15591", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:44:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:44:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15591, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15590", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:44:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:44:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15590, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15589", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:44:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:44:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15589, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17023 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:24:43", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15583", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:24:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:24:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15583, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15582", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:24:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:24:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15582, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17022 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 15:23:43", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15580", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:22:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:22:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15580, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15579", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:22:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:22:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15579, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15578", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 15:22:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 15:22:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15578, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17021 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 14:55:42", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15576", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 14:53:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 14:53:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15576, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17020 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 14:49:11", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15574", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 14:48:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 14:48:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15574, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17019 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 14:47:11", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15571", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 14:46:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 14:46:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15571, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17018 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:41:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15569", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:39:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:39:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15569, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17017 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:37:43", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15566", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:37:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:37:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15566, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15565", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:36:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:36:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15565, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17016 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:28:43", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15563", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:27:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:27:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15563, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15562", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:27:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:27:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15562, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17015 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:25:42", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15559", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:24:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:24:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15559, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15558", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:24:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:24:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15558, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17014 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:21:42", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15556", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:20:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:20:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15556, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17013 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:14:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15553", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:13:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:13:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15553, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17012 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:13:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15550", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:12:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:12:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15550, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15549", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:12:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:12:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15549, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15548", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:11:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:11:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15548, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17011 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:11:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15545", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:10:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:10:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15545, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17010 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:08:42", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15543", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:08:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:08:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15543, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17009 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:07:42", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15540", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:07:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:07:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15540, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17008 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:06:42", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15538", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:05:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:05:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15538, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17007 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 03:05:42", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15536", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 03:04:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 03:04:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15536, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17006 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 00:48:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15527", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:47:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:47:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15527, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17005 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 00:47:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15525", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15525, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15524", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15524, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15522", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15522, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15523", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15523, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15521", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15521, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15520", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15520, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15517", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15517, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15518", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15518, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15519", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15519, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15516", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:45:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:45:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15516, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17004 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 00:16:35", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15513", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:15:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:15:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15513, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17003 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 00:15:35", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15509", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:14:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:14:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15509, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15508", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:14:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:14:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15508, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15507", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:14:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:14:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15507, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15506", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:14:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:14:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15506, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17002 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/26/2020 00:13:05", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15504", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/26/2020 00:11:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/26/2020 00:11:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15504, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17001 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 23:50:04", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15502", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 23:49:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 23:49:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15502, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15501", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 23:49:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 23:49:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15501, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15500", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 23:48:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 23:48:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15500, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 17000 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 20:15:55", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15497", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 20:15:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 20:15:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15497, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16999 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 20:13:55", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15495", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 20:12:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 20:12:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15495, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16998 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 18:11:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15493", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 18:10:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 18:10:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15493, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15491", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 18:10:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 18:10:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15491, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16997 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 18:10:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15489", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 18:08:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 18:08:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15489, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16996 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 18:07:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15487", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 18:06:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 18:06:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15487, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15485", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 18:06:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 18:06:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15485, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16995 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 18:05:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15484", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 18:04:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 18:04:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15484, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16994 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 17:47:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15481", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:47:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:47:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15481, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15480", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:46:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:46:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15480, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16993 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 17:39:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15478", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:38:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:38:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15478, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16992 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 17:34:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15476", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:33:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:33:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15476, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16991 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 17:33:18", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15473", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:32:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:32:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15473, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15472", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:32:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:32:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15472, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15471", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:31:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:31:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15471, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16990 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 17:30:18", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15469", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:28:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:28:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15469, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16989 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 17:14:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15467", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:12:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:12:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15467, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16988 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 17:11:47", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15463", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 17:11:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 17:11:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15463, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16987 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 12:31:36", + "acknowledgedDate": "09/25/2020 20:15:52", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15453", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 12:30:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 12:30:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15453, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16986 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 03:42:13", + "acknowledgedDate": "09/25/2020 20:15:52", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15451", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:41:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:41:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15451, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16985 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 03:36:12", + "acknowledgedDate": "09/25/2020 20:15:52", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15448", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:35:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:35:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15448, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16984 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 03:35:12", + "acknowledgedDate": "09/25/2020 20:15:53", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15447", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:33:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:33:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15447, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16983 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 03:29:42", + "acknowledgedDate": "09/25/2020 20:15:53", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15445", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:28:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:28:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15445, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16982 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 03:27:42", + "acknowledgedDate": "09/25/2020 20:15:53", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15441", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:27:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:27:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15441, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16981 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 03:18:42", + "acknowledgedDate": "09/25/2020 20:15:53", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15439", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:17:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:17:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15439, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16980 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 03:15:42", + "acknowledgedDate": "09/25/2020 20:15:53", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15437", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:14:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:14:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15437, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16979 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/25/2020 03:12:11", + "acknowledgedDate": "09/25/2020 20:15:53", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15433", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:11:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:11:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15433, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15432", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/25/2020 03:11:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/25/2020 03:11:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15432, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16978 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:58:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15430", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:57:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:57:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15430, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16977 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:55:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15428", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:54:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:54:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15428, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16976 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:23:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15425", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:23:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:23:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15425, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16975 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:21:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15423", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:21:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:21:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15423, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16974 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:13:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15421", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:13:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:13:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15421, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16973 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:12:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15417", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:11:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:11:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15417, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16972 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:11:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15416", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:10:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:10:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15416, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16971 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:09:18", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15414", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:08:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:08:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15414, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16970 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:05:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15412", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:04:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:04:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15412, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16969 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:01:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15410", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 17:00:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 17:00:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15410, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16968 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 17:00:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15408", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:58:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:58:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15408, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16967 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:58:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15406", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:57:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:57:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15406, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16966 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:56:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15404", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:55:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:55:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15404, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16965 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:54:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15402", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:53:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:53:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15402, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16964 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:40:46", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15400", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:39:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:39:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15400, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16963 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:37:46", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15398", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:37:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:37:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15398, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15397", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:36:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:36:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15397, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15396", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:36:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:36:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15396, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16962 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:34:46", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15393", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:33:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:33:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15393, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16961 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:18:45", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15391", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:17:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:17:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15391, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16960 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:07:45", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15389", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:06:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:06:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15389, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15388", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:06:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:06:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15388, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16959 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 16:03:45", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15386", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:02:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:02:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15386, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15385", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 16:02:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 16:02:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15385, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16958 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:51:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15383", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:50:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:50:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15383, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16957 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:48:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15380", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:47:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:47:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15380, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15379", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:46:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:46:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15379, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16956 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:44:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15377", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:43:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:43:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15377, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16955 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:42:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15375", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:42:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:42:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15375, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16954 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:41:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15373", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:40:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:40:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15373, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16953 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:39:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15370", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:39:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:39:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15370, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16952 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:37:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15367", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:37:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:37:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15367, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16951 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:34:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15365", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:33:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:33:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15365, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16950 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:31:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15363", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:30:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:30:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15363, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15362", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:30:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:30:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15362, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16949 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:30:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15360", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:29:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:29:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15360, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16948 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:28:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15357", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:27:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:27:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15357, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16947 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:26:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15355", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:25:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:25:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15355, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16946 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 15:12:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15353", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 15:11:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 15:11:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15353, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16945 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:55:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15340", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15340, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15339", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15339, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15337", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15337, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15338", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15338, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15335", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15335, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15336", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15336, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15332", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15332, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15333", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15333, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15334", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:54:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:54:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15334, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16944 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:53:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15328", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:53:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:53:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15328, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 13:53:45 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15327", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:53:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:53:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15327, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 13:53:46 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15326", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:52:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:52:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15326, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16943 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:52:39", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15324", + "ruleMessage": "User Logon", + "sourceIp": "52.191.14.125", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:51:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:51:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.191.14.125", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15324, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16942 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:50:39", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15322", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15322, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15321", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15321, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15314", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15314, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15315", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15315, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15316", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15316, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15317", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15317, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15318", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15318, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15319", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15319, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15320", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15320, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15313", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:49:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:49:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15313, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16941 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:33:09", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15302", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:32:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:32:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15302, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15301", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:32:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:32:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15301, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15294", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:31:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:31:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15294, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15295", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:31:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:31:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15295, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15296", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:31:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:31:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15296, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15297", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:31:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:31:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15297, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15299", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:31:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:31:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15299, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15298", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:31:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:31:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15298, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15300", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:31:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:31:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15300, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15292", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:31:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:31:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15292, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16940 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:31:39", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15290", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:30:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:30:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15290, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15289", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:30:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:30:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15289, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15288", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:30:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:30:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15288, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15287", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:30:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:30:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15287, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16939 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:29:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15285", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:28:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:28:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15285, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 09:31:22 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16938 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:28:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15274", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:27:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:27:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15274, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15273", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:27:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:27:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15273, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15271", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:27:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:27:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15271, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15272", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:27:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:27:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15272, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15270", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:27:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:27:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15270, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15268", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:27:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:27:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15268, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15269", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:27:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:27:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15269, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15267", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:27:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:27:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15267, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15266", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:26:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:26:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15266, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15265", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:26:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:26:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15265, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16937 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 13:26:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15251", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:25:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:25:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15251, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 13:26:20 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15252", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:25:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:25:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15252, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 13:26:21 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15249", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:25:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:25:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15249, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15250", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:25:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:25:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15250, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15247", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:25:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:25:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15247, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15248", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:25:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:25:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15248, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15245", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:25:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:25:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15245, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15246", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:25:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:25:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15246, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15244", + "ruleMessage": "User Logon", + "sourceIp": "52.232.178.112", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 13:24:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 13:24:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.232.178.112", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15244, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16936 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:53:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15242", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:52:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:52:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15242, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15241", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:52:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:52:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15241, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15240", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:52:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:52:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15240, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16935 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:23:37", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15234", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:22:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:22:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15234, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15233", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:21:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:21:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15233, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15231", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:21:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:21:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15231, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15230", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:21:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:21:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15230, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15229", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:21:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:21:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15229, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16934 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:22:07", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15228", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:20:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:20:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15228, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15223", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:20:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:20:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15223, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15224", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:20:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:20:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15224, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15225", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:20:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:20:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15225, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15226", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:20:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:20:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15226, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15227", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:20:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:20:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15227, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16933 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:20:37", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15221", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:19:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:19:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15221, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16932 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:19:37", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15219", + "ruleMessage": "User Logon", + "sourceIp": "40.70.30.48", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:18:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:18:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.30.48", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15219, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 01:20:24 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16931 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:15:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15207", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15207, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15208", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15208, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15202", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15202, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15203", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15203, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15204", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15204, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15205", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15205, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15206", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15206, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15201", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15201, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15200", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:13:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:13:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15200, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16930 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:12:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15197", + "ruleMessage": "User Logon", + "sourceIp": "52.254.17.77", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:11:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:11:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.17.77", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15197, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 01:13:27 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16929 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:10:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15195", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:10:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:10:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15195, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 01:13:28 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16928 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:05:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15189", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:04:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:04:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15189, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15188", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:04:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:04:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15188, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15186", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:04:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:04:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15186, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15185", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:04:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:04:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15185, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15184", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:04:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:04:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15184, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16927 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:04:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15181", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:02:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:02:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15181, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15182", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:02:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:02:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15182, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15183", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:02:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:02:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15183, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15176", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:02:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:02:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15176, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15177", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:02:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:02:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15177, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15178", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:02:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:02:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15178, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15179", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:02:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:02:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15179, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15180", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:02:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:02:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15180, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16926 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:02:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15173", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:01:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:01:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15173, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16925 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 01:01:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15169", + "ruleMessage": "User Logon", + "sourceIp": "52.167.117.133", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 01:00:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 01:00:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.117.133", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15169, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 01:02:26 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16924 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:40:05", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15155", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:38:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:38:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15155, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15156", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:38:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:38:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15156, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15157", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:38:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:38:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15157, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15158", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:38:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:38:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15158, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15151", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:38:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:38:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15151, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15152", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:38:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:38:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15152, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15153", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:38:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:38:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15153, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15154", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:38:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:38:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15154, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16923 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:37:35", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15149", + "ruleMessage": "User Logon", + "sourceIp": "52.251.50.115", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:36:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:36:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.50.115", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15149, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:38:28 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16922 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:30:04", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15144", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:28:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:28:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15144, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15143", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:28:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:28:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15143, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16921 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:28:34", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15134", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:27:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:27:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15134, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15135", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:27:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:27:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15135, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15136", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:27:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:27:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15136, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15137", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:27:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:27:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15137, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15130", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:27:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:27:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15130, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15131", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:27:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:27:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15131, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15132", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:27:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:27:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15132, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15133", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:27:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:27:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15133, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16920 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:27:04", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15125", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:26:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:26:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15125, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:27:08 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15126", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:26:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:26:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15126, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:27:09 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15123", + "ruleMessage": "User Logon", + "sourceIp": "52.167.50.114", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:25:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:25:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.50.114", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15123, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15119", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:24:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:24:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15119, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15118", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:24:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:24:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15118, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15116", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:24:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:24:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15116, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15115", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:24:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:24:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15115, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15114", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:24:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:24:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15114, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16919 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:25:04", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15109", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:23:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:23:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15109, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15110", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:23:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:23:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15110, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15111", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:23:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:23:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15111, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15112", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:23:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:23:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15112, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15113", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:23:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:23:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15113, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15106", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:23:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:23:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15106, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15107", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:23:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:23:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15107, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15108", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:23:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:23:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15108, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16918 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:22:03", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15098", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:21:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:21:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15098, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:23:16 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15097", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:21:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:21:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15097, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:23:17 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15095", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:21:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:21:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15095, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15094", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:21:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:21:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15094, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15092", + "ruleMessage": "User Logon", + "sourceIp": "52.251.95.26", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:21:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:21:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.251.95.26", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15092, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15093", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:21:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:21:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15093, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15091", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:21:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:21:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15091, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15088", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:21:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:21:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15088, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15086", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:20:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:20:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15086, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15085", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:20:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:20:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15085, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16917 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:20:03", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15050", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:19:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:19:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15050, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:19:45 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15051", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:19:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:19:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15051, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:19:46 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15048", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:18:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:18:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15048, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15049", + "ruleMessage": "User Logon", + "sourceIp": "52.179.254.137", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:18:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:18:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.254.137", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15049, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15047", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:18:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:18:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15047, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16916 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/24/2020 00:18:33", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15040", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:17:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:17:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15040, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:18:56 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15039", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:17:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:17:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15039, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-24 00:18:57 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15037", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:17:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:17:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15037, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15038", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:17:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:17:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15038, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15036", + "ruleMessage": "User Logon", + "sourceIp": "40.75.4.234", + "destIp": "22.22.24.6", + "lastTime": "09/24/2020 00:16:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/24/2020 00:16:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.4.234", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15036, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16915 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 23:02:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15031", + "ruleMessage": "User Logon", + "sourceIp": "52.254.13.127", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 23:00:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 23:00:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.13.127", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15031, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15030", + "ruleMessage": "User Logon", + "sourceIp": "52.254.13.127", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 23:00:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 23:00:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.13.127", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15030, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15028", + "ruleMessage": "User Logon", + "sourceIp": "52.254.13.127", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 23:00:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 23:00:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.13.127", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15028, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15027", + "ruleMessage": "User Logon", + "sourceIp": "52.254.13.127", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 23:00:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 23:00:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.13.127", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15027, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15026", + "ruleMessage": "User Logon", + "sourceIp": "52.254.13.127", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 23:00:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 23:00:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.13.127", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15026, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16914 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 23:00:30", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15017", + "ruleMessage": "User Logon", + "sourceIp": "52.254.13.127", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:59:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:59:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.13.127", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15017, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16913 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 22:59:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15011", + "ruleMessage": "User Logon", + "sourceIp": "52.254.13.127", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:58:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:58:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.254.13.127", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15011, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-23 22:59:30 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16912 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 22:38:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15006", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:37:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:37:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15006, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15005", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:37:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:37:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15005, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15003", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:37:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:37:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15003, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|15002", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:37:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:37:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 15002, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16911 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 22:36:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14994", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:36:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:36:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14994, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14995", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:36:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:36:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14995, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14996", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:36:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:36:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14996, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14997", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:36:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:36:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14997, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14998", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:36:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:36:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14998, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14999", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:36:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:36:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14999, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16910 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 22:35:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14987", + "ruleMessage": "User Logon", + "sourceIp": "52.179.192.195", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:34:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:34:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.179.192.195", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14987, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14986", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:34:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:34:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14986, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14985", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:34:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:34:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14985, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14983", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:34:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:34:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14983, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14982", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:34:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:34:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14982, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14981", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:34:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:34:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14981, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14980", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:34:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:34:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14980, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16909 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 22:33:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14963", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:33:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:33:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14963, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16908 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 22:32:28", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14958", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:32:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:32:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14958, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-23 22:32:48 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14957", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:31:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:31:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14957, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-23 22:32:49 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14955", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:31:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:31:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14955, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14956", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:31:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:31:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14956, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14954", + "ruleMessage": "User Logon", + "sourceIp": "52.242.83.136", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 22:31:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 22:31:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.83.136", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14954, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16907 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 02:10:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14951", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 02:09:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 02:09:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14951, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16906 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 02:08:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14949", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 02:08:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 02:08:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14949, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14948", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 02:08:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 02:08:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14948, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16905 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/23/2020 02:06:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14946", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/23/2020 02:05:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/23/2020 02:05:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14946, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16904 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 21:48:26", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14944", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 21:47:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 21:47:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14944, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16903 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 21:31:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14939", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 21:30:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 21:30:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14939, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14938", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 21:30:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 21:30:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14938, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14936", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 21:30:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 21:30:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14936, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14935", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 21:30:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 21:30:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14935, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14934", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 21:29:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 21:29:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14934, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16902 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 21:27:55", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14932", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 21:27:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 21:27:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14932, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-22 17:28:49 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16901 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 20:55:54", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14927", + "ruleMessage": "User Logon", + "sourceIp": "20.186.183.84", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:54:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:54:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.183.84", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14927, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14926", + "ruleMessage": "User Logon", + "sourceIp": "20.186.183.84", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:54:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:54:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.183.84", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14926, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14924", + "ruleMessage": "User Logon", + "sourceIp": "20.186.183.84", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:54:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:54:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.183.84", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14924, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14923", + "ruleMessage": "User Logon", + "sourceIp": "20.186.183.84", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:54:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:54:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.183.84", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14923, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14922", + "ruleMessage": "User Logon", + "sourceIp": "20.186.183.84", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:54:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:54:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.183.84", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14922, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16900 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 20:52:24", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14920", + "ruleMessage": "User Logon", + "sourceIp": "20.186.183.84", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:52:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:52:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.183.84", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14920, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-22 20:53:10 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16899 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 20:44:23", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14915", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:43:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:43:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14915, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14914", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:43:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:43:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14914, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14912", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:42:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:42:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14912, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14911", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:42:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:42:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14911, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14910", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:42:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:42:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14910, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16898 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 20:41:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14908", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:40:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:40:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14908, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16897 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 20:24:52", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14903", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:23:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:23:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14903, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16896 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 20:16:52", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14900", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 20:15:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 20:15:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14900, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16895 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:59:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14897", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:58:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:58:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14897, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14896", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:58:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:58:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14896, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14894", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:58:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:58:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14894, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14893", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:58:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:58:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14893, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14892", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:58:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:58:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14892, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16894 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:57:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14890", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:56:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:56:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14890, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-22 15:57:17 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16893 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:53:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14888", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:52:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:52:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14888, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-22 15:57:18 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16892 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:52:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14886", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:51:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:51:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14886, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16891 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:48:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14884", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:47:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:47:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14884, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16890 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:38:51", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14882", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:37:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:37:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14882, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16889 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:36:51", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14879", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:35:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:35:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14879, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16888 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:35:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14878", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:34:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:34:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14878, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16887 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:33:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14876", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:32:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:32:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14876, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16886 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:31:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14874", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:31:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:31:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14874, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16885 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:20:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14872", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:19:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:19:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14872, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16884 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 19:05:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14870", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 19:04:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 19:04:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14870, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16883 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 18:58:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14867", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 18:57:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 18:57:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14867, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16882 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 17:56:17", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14865", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 17:55:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 17:55:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14865, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16881 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 17:50:16", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14863", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 17:48:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 17:48:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14863, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16880 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 17:47:16", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14860", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 17:46:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 17:46:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14860, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16879 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 17:27:16", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14858", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 17:26:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 17:26:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14858, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16878 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 17:25:16", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14856", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 17:24:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 17:24:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14856, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16877 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 16:35:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14854", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 16:34:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 16:34:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14854, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16876 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 16:32:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14852", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 16:32:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 16:32:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14852, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16875 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 16:18:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14841", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 16:17:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 16:17:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14841, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16874 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 16:17:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14839", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 16:15:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 16:15:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14839, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-22 12:17:10 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16873 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 16:07:13", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14837", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 16:06:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 16:06:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14837, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16872 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 15:59:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14835", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 15:58:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 15:58:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14835, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16871 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 15:47:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14833", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 15:45:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 15:45:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14833, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16870 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 15:39:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14831", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 15:38:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 15:38:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14831, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16869 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 15:38:12", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14829", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 15:37:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 15:37:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14829, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16868 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 14:54:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14827", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:54:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:54:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14827, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14826", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:54:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:54:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14826, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16867 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 14:52:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14823", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:52:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:52:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14823, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16866 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 14:49:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14821", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:48:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:48:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14821, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14820", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:48:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:48:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14820, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16865 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 14:46:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14818", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:45:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:45:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14818, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16864 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 14:14:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14815", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:13:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:13:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14815, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16863 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 14:06:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14813", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:05:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:05:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14813, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16862 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 14:03:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14811", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:02:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:02:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14811, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14810", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 14:02:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 14:02:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14810, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16861 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 13:54:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14808", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:52:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:52:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14808, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14807", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:52:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:52:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14807, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14806", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:52:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:52:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14806, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16860 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 13:22:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14800", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:22:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:22:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14800, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14799", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:22:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:22:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14799, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14798", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:22:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:22:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14798, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14796", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:21:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:21:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14796, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14797", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:21:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:21:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14797, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14792", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:21:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:21:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14792, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14793", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:21:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:21:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14793, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14794", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:21:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:21:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14794, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14795", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:21:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:21:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14795, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14791", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:20:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:20:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14791, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16859 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 13:20:06", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14786", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 13:19:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 13:19:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14786, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-22 09:20:54 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16858 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 12:57:36", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14780", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 12:57:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 12:57:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14780, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14779", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 12:57:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 12:57:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14779, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14778", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 12:57:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 12:57:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14778, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16857 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 12:55:35", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14776", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 12:54:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 12:54:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14776, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-22 08:56:14 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16856 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 12:53:35", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14774", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 12:52:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 12:52:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14774, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-22 08:56:15 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16855 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 12:39:35", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14752", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 12:38:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 12:38:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14752, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14751", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 12:38:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 12:38:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14751, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16854 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 03:51:14", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14748", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 03:50:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 03:50:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14748, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14747", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 03:50:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 03:50:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14747, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14746", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 03:50:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 03:50:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14746, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16853 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 03:43:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14743", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 03:42:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 03:42:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14743, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16852 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/22/2020 03:36:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14741", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/22/2020 03:35:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/22/2020 03:35:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14741, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16851 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/21/2020 21:27:30", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14739", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:26:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:26:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14739, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16850 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/21/2020 21:09:30", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14737", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:08:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:08:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14737, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14736", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:08:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:08:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14736, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16849 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/21/2020 21:07:30", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14734", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:05:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:05:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14734, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16848 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/21/2020 21:04:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14728", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:03:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:03:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14728, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14727", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:03:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:03:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14727, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14726", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:03:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:03:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14726, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14725", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:03:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:03:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14725, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14724", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:03:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:03:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14724, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16847 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/21/2020 21:01:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14722", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:00:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:00:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14722, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14721", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:00:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:00:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14721, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14720", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 21:00:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 21:00:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14720, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16846 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/21/2020 20:56:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14718", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/21/2020 20:56:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/21/2020 20:56:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14718, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16845 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 22:41:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14716", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 22:40:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 22:40:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14716, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16844 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 18:56:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14712", + "ruleMessage": "User Logon", + "sourceIp": "40.70.1.201", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:55:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:55:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.1.201", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14712, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14711", + "ruleMessage": "User Logon", + "sourceIp": "40.70.1.201", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:55:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:55:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.1.201", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14711, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14709", + "ruleMessage": "User Logon", + "sourceIp": "40.70.1.201", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:55:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:55:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.1.201", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14709, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14708", + "ruleMessage": "User Logon", + "sourceIp": "40.70.1.201", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:55:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:55:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.1.201", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14708, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14707", + "ruleMessage": "User Logon", + "sourceIp": "40.70.1.201", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:55:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:55:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.1.201", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14707, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16843 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 18:55:01", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14700", + "ruleMessage": "User Logon", + "sourceIp": "40.70.1.201", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:54:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:54:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.1.201", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14700, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14699", + "ruleMessage": "User Logon", + "sourceIp": "40.70.1.201", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:53:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:53:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.1.201", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14699, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14698", + "ruleMessage": "User Logon", + "sourceIp": "40.70.1.201", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:53:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:53:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.1.201", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14698, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16842 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 18:52:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14685", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14685, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14684", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14684, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14677", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14677, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14678", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14678, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14679", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14679, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14680", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14680, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14681", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14681, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14682", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14682, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14683", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14683, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14676", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:51:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:51:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14676, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16841 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 18:51:01", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14669", + "ruleMessage": "User Logon", + "sourceIp": "52.138.80.244", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:49:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:49:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.80.244", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14669, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 18:50:55 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16840 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 18:20:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14667", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 18:18:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 18:18:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14667, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16839 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 17:57:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14665", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 17:57:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 17:57:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14665, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16838 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 17:31:28", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14661", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 17:30:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 17:30:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14661, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16837 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 17:19:28", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14659", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 17:18:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 17:18:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14659, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16836 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 16:56:27", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14657", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 16:55:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 16:55:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14657, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16835 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 16:18:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14655", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 16:16:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 16:16:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14655, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16834 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 16:12:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14653", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 16:11:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 16:11:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14653, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16833 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 16:09:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14651", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 16:08:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 16:08:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14651, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16832 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 15:27:24", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14649", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 15:25:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 15:25:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14649, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16831 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 15:24:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14647", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 15:23:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 15:23:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14647, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16830 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 01:06:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14637", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:05:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:05:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14637, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14638", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:05:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:05:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14638, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14633", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:05:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:05:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14633, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14634", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:05:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:05:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14634, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14635", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:05:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:05:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14635, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14636", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:05:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:05:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14636, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14632", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:05:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:05:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14632, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16829 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 01:04:51", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14629", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:04:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:04:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14629, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 01:05:05 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14627", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:04:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:04:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14627, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14628", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:04:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:04:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14628, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 01:05:06 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16828 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 01:03:51", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14625", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.21", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:03:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:03:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14625, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14623", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:02:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:02:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14623, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14622", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:02:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:02:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14622, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14620", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:02:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:02:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14620, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14619", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:02:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:02:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14619, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14618", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:02:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:02:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14618, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16827 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 01:01:51", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14578", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:00:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:00:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14578, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14579", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:00:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:00:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14579, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14580", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:00:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:00:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14580, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14581", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:00:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:00:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14581, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14582", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:00:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:00:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14582, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14577", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 01:00:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 01:00:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14577, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14576", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:59:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:59:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14576, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14575", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:59:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:59:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14575, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14574", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:59:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:59:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14574, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16826 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:58:51", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14572", + "ruleMessage": "User Logon", + "sourceIp": "143.55.64.22", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:58:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:58:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "143.55.64.22", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14572, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 00:59:48 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16825 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:56:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14563", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14563, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14561", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14561, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14562", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14562, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14559", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14559, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14560", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14560, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14555", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14555, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14556", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14556, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14557", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14557, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14558", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:55:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:55:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14558, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14553", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:54:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:54:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14553, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16824 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:54:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14549", + "ruleMessage": "User Logon", + "sourceIp": "199.7.166.17", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:53:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:53:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "199.7.166.17", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14549, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 00:55:02 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16823 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:50:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14540", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:50:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:50:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14540, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14539", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:50:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:50:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14539, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14538", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:50:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:50:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14538, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14537", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:50:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:50:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14537, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14534", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:49:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:49:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14534, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14535", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:49:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:49:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14535, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14536", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:49:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:49:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14536, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14533", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:49:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:49:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14533, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14532", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:49:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:49:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14532, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14530", + "ruleMessage": "User Logon", + "sourceIp": "52.252.117.169", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:49:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:49:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.117.169", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14530, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16822 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:47:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14517", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:47:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:47:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14517, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14516", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:47:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:47:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14516, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14514", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:47:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:47:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14514, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14513", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:46:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:46:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14513, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14512", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:46:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:46:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14512, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14509", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:46:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:46:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14509, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14510", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:46:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:46:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14510, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14507", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:46:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:46:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14507, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14508", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:46:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:46:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14508, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16821 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:46:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14497", + "ruleMessage": "User Logon", + "sourceIp": "20.186.37.11", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:45:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:45:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.186.37.11", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14497, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16820 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:44:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14493", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.40", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:43:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:43:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.40", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14493, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 00:45:50 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14492", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.40", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:43:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:43:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.40", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14492, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14490", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.40", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:43:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:43:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.40", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14490, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14489", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.40", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:43:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:43:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.40", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14489, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14488", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.40", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:43:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:43:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.40", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14488, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16819 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:43:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14476", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.40", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:42:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:42:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.40", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14476, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14475", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.40", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:42:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:42:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.40", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14475, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16818 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:41:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14471", + "ruleMessage": "User Logon", + "sourceIp": "104.209.168.40", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:41:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:41:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "104.209.168.40", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14471, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 00:42:27 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16817 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:40:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14468", + "ruleMessage": "User Logon", + "sourceIp": "52.242.92.203", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:39:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:39:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.92.203", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14468, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14467", + "ruleMessage": "User Logon", + "sourceIp": "52.242.92.203", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:39:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:39:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.92.203", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14467, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14465", + "ruleMessage": "User Logon", + "sourceIp": "52.242.92.203", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:39:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:39:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.92.203", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14465, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14464", + "ruleMessage": "User Logon", + "sourceIp": "52.242.92.203", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:39:40", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:39:40", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.92.203", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14464, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14463", + "ruleMessage": "User Logon", + "sourceIp": "52.242.92.203", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:39:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:39:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.92.203", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14463, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16816 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:39:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14453", + "ruleMessage": "User Logon", + "sourceIp": "52.242.92.203", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:38:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:38:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.92.203", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14453, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16815 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:37:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14450", + "ruleMessage": "User Logon", + "sourceIp": "52.242.92.203", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:37:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:37:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.242.92.203", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14450, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 00:38:28 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16814 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:35:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14438", + "ruleMessage": "User Logon", + "sourceIp": "40.75.75.236", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:34:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:34:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.75.236", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14438, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14437", + "ruleMessage": "User Logon", + "sourceIp": "40.75.75.236", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:34:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:34:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.75.236", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14437, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16813 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:33:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14431", + "ruleMessage": "User Logon", + "sourceIp": "40.75.75.236", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:33:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:33:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.75.236", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14431, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 00:34:01 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14430", + "ruleMessage": "User Logon", + "sourceIp": "40.75.75.236", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:33:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:33:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.75.236", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14430, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 00:34:01 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14429", + "ruleMessage": "User Logon", + "sourceIp": "40.75.75.236", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:33:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:33:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.75.236", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14429, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14428", + "ruleMessage": "User Logon", + "sourceIp": "40.75.75.236", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:32:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:32:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.75.236", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14428, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16812 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:30:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14414", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14414, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14415", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14415, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14416", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14416, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14411", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14411, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14412", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14412, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14413", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14413, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14410", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14410, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14409", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14409, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14408", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14408, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14407", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:29:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:29:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14407, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16811 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/20/2020 00:28:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14398", + "ruleMessage": "User Logon", + "sourceIp": "40.75.17.54", + "destIp": "22.22.24.6", + "lastTime": "09/20/2020 00:27:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/20/2020 00:27:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.75.17.54", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14398, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-20 00:29:09 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16810 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/19/2020 17:47:35", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14396", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/19/2020 17:47:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/19/2020 17:47:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14396, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16809 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/19/2020 13:53:26", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14394", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/19/2020 13:52:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/19/2020 13:52:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14394, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16808 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/19/2020 13:47:26", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14392", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/19/2020 13:46:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/19/2020 13:46:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14392, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16807 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/19/2020 13:45:26", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14390", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/19/2020 13:44:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/19/2020 13:44:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14390, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16806 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/19/2020 13:26:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14388", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/19/2020 13:25:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/19/2020 13:25:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14388, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16805 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/19/2020 13:11:25", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14386", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/19/2020 13:10:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/19/2020 13:10:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14386, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16804 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/19/2020 13:09:24", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14384", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/19/2020 13:08:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/19/2020 13:08:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14384, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16803 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/19/2020 13:06:54", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14382", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/19/2020 13:06:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/19/2020 13:06:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14382, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16802 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 23:08:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14379", + "ruleMessage": "User Logon", + "sourceIp": "20.44.110.216", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 23:07:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 23:07:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.110.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14379, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14378", + "ruleMessage": "User Logon", + "sourceIp": "20.44.110.216", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 23:07:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 23:07:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.110.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14378, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14376", + "ruleMessage": "User Logon", + "sourceIp": "20.44.110.216", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 23:07:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 23:07:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.110.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14376, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14375", + "ruleMessage": "User Logon", + "sourceIp": "20.44.110.216", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 23:07:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 23:07:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.110.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14375, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14374", + "ruleMessage": "User Logon", + "sourceIp": "20.44.110.216", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 23:07:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 23:07:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.110.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14374, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16801 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 23:07:23", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14371", + "ruleMessage": "User Logon", + "sourceIp": "20.44.110.216", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 23:06:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 23:06:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.110.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14371, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14370", + "ruleMessage": "User Logon", + "sourceIp": "20.44.110.216", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 23:06:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 23:06:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.110.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14370, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16800 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 23:06:23", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14367", + "ruleMessage": "User Logon", + "sourceIp": "20.44.110.216", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 23:05:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 23:05:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.110.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14367, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 23:06:48 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16799 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:55:52", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14364", + "ruleMessage": "User Logon", + "sourceIp": "52.138.103.227", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:54:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:54:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.103.227", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14364, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14363", + "ruleMessage": "User Logon", + "sourceIp": "52.138.103.227", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:54:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:54:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.103.227", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14363, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14361", + "ruleMessage": "User Logon", + "sourceIp": "52.138.103.227", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:54:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:54:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.103.227", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14361, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14360", + "ruleMessage": "User Logon", + "sourceIp": "52.138.103.227", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:54:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:54:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.103.227", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14360, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14359", + "ruleMessage": "User Logon", + "sourceIp": "52.138.103.227", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:54:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:54:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.103.227", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14359, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16798 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:53:22", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14357", + "ruleMessage": "User Logon", + "sourceIp": "52.138.103.227", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:52:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:52:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.103.227", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14357, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 22:53:32 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14355", + "ruleMessage": "User Logon", + "sourceIp": "52.138.103.227", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:52:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:52:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.103.227", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14355, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 22:53:33 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14354", + "ruleMessage": "User Logon", + "sourceIp": "52.147.166.223", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:52:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:52:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.166.223", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14354, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14353", + "ruleMessage": "User Logon", + "sourceIp": "52.147.166.223", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:52:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:52:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.166.223", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14353, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14351", + "ruleMessage": "User Logon", + "sourceIp": "52.147.166.223", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:52:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:52:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.166.223", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14351, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14350", + "ruleMessage": "User Logon", + "sourceIp": "52.147.166.223", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:52:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:52:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.166.223", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14350, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14349", + "ruleMessage": "User Logon", + "sourceIp": "52.147.166.223", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:52:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:52:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.166.223", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14349, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14348", + "ruleMessage": "User Logon", + "sourceIp": "52.138.103.227", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:52:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:52:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.138.103.227", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14348, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16797 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:51:22", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14346", + "ruleMessage": "User Logon", + "sourceIp": "52.147.166.223", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:50:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:50:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.147.166.223", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14346, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 22:51:41 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16796 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:40:52", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14343", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:39:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:39:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14343, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14342", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:39:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:39:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14342, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14340", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:39:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:39:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14340, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14339", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:39:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:39:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14339, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14338", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:39:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:39:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14338, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16795 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:38:52", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14335", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:38:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:38:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14335, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16794 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:37:51", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14334", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:37:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:37:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14334, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 18:38:23 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16793 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:31:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14332", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:30:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:30:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14332, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 18:38:25 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16792 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:25:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14330", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:24:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:24:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14330, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 18:25:56 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14329", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:24:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:24:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14329, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16791 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:22:21", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14327", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:21:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:21:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14327, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16790 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 22:01:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14325", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 22:00:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 22:00:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14325, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16789 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 21:58:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14323", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 21:56:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 21:56:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14323, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16788 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 21:56:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14321", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 21:55:27", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 21:55:27", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14321, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16787 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 21:52:50", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14319", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 21:51:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 21:51:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14319, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16786 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 21:39:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14317", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 21:39:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 21:39:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14317, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16785 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 21:14:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14315", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 21:13:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 21:13:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14315, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16784 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 21:10:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14313", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 21:10:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 21:10:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14313, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16783 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 21:06:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14311", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 21:05:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 21:05:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14311, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16782 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 20:59:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14309", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 20:58:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 20:58:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14309, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16781 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 20:57:48", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14307", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 20:56:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 20:56:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "MacIntel", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14307, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "8074999591345936839", + "formatedValue": "MacIntel" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16780 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:44:02", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14297", + "ruleMessage": "User Logon", + "sourceIp": "52.252.97.197", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:43:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:43:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.97.197", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14297, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14296", + "ruleMessage": "User Logon", + "sourceIp": "52.252.97.197", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:43:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:43:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.97.197", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14296, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16779 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:43:02", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14295", + "ruleMessage": "User Logon", + "sourceIp": "52.252.97.197", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:42:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:42:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.252.97.197", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14295, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 13:43:07 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16778 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:38:32", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14282", + "ruleMessage": "User Logon", + "sourceIp": "52.247.56.148", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:37:37", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:37:37", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.56.148", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14282, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14281", + "ruleMessage": "User Logon", + "sourceIp": "52.247.56.148", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:37:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:37:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.56.148", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14281, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14280", + "ruleMessage": "User Logon", + "sourceIp": "52.247.56.148", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:37:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:37:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.56.148", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14280, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16777 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:37:02", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14278", + "ruleMessage": "User Logon", + "sourceIp": "52.247.56.148", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:36:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:36:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.247.56.148", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14278, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 13:37:29 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16776 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:33:01", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14275", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:32:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:32:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14275, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14274", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:32:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:32:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14274, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14272", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:32:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:32:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14272, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14271", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:31:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:31:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14271, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14270", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:31:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:31:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14270, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14269", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:31:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:31:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14269, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14267", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:31:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:31:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14267, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14266", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:31:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:31:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14266, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16775 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:31:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14265", + "ruleMessage": "User Logon", + "sourceIp": "52.184.150.39", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:30:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:30:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.184.150.39", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14265, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16774 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:27:01", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14254", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:26:17", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:26:17", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14254, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14253", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:26:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:26:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14253, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16773 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:24:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14248", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:24:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:24:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14248, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14247", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:23:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:23:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14247, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14246", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:23:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:23:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14246, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14245", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:23:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:23:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14245, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14243", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:23:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:23:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14243, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14242", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:23:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:23:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14242, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16772 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 13:23:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14240", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 13:22:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 13:22:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14240, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 09:23:30 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16771 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 12:53:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14238", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:52:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:52:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14238, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16770 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 12:51:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14236", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:50:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:50:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14236, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16769 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 12:49:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14234", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:48:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:48:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14234, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16768 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 12:30:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14232", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:29:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:29:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14232, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16767 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 12:27:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14230", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:27:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:27:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14230, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16766 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 12:25:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14226", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:25:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:25:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14226, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14225", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:24:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:24:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14225, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14224", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:24:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:24:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14224, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14223", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:24:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:24:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14223, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14222", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:24:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:24:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14222, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16765 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 12:21:29", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14216", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:20:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:20:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14216, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14215", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:20:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:20:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14215, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14214", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:20:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:20:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14214, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14213", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:20:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:20:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14213, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14212", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:20:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:20:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14212, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14211", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:19:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:19:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14211, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14210", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 12:19:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 12:19:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14210, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16764 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 05:40:44", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14208", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 05:40:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 05:40:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14208, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16763 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:56:10", + "acknowledgedDate": "09/18/2020 05:40:15", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14205", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:55:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:55:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14205, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14204", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:55:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:55:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14204, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14202", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:55:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:55:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14202, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14201", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:55:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:55:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14201, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14200", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:55:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:55:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14200, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14198", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:54:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:54:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14198, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14199", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:54:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:54:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14199, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14197", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:54:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:54:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14197, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14196", + "ruleMessage": "User Logon", + "sourceIp": "20.44.97.189", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:54:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:54:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.97.189", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14196, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16762 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:53:40", + "acknowledgedDate": "09/18/2020 05:40:15", + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14181", + "ruleMessage": "User Logon", + "sourceIp": "13.77.89.107", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:53:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:53:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.77.89.107", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14181, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14180", + "ruleMessage": "User Logon", + "sourceIp": "52.167.119.2", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:53:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:53:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.119.2", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14180, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14179", + "ruleMessage": "User Logon", + "sourceIp": "13.77.89.107", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:52:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:52:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.77.89.107", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14179, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14178", + "ruleMessage": "User Logon", + "sourceIp": "52.167.119.2", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:52:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:52:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.119.2", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14178, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14177", + "ruleMessage": "User Logon", + "sourceIp": "13.77.89.107", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:52:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:52:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.77.89.107", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14177, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14176", + "ruleMessage": "User Logon", + "sourceIp": "13.77.89.107", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:52:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:52:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.77.89.107", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14176, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14175", + "ruleMessage": "User Logon", + "sourceIp": "52.167.119.2", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:52:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:52:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.119.2", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14175, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14174", + "ruleMessage": "User Logon", + "sourceIp": "13.77.89.107", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:52:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:52:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "13.77.89.107", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14174, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16761 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:52:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14160", + "ruleMessage": "User Logon", + "sourceIp": "20.190.241.59", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:51:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:51:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.190.241.59", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14160, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:52:08 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16760 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:50:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14155", + "ruleMessage": "User Logon", + "sourceIp": "40.70.27.21", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:50:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:50:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.27.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14155, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:51:44 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14154", + "ruleMessage": "User Logon", + "sourceIp": "40.70.27.21", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:50:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:50:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.27.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14154, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14152", + "ruleMessage": "User Logon", + "sourceIp": "40.70.27.21", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:49:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:49:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.27.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14152, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14151", + "ruleMessage": "User Logon", + "sourceIp": "40.70.27.21", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:49:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:49:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.27.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14151, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14150", + "ruleMessage": "User Logon", + "sourceIp": "40.70.27.21", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:49:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:49:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.27.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14150, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14149", + "ruleMessage": "User Logon", + "sourceIp": "20.190.241.59", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:49:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:49:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.190.241.59", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14149, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16759 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:49:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14137", + "ruleMessage": "User Logon", + "sourceIp": "52.167.226.99", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:48:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:48:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.226.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14137, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:49:04 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14136", + "ruleMessage": "User Logon", + "sourceIp": "52.167.226.99", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:48:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:48:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.226.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14136, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:49:05 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14135", + "ruleMessage": "User Logon", + "sourceIp": "52.167.226.99", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:48:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:48:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.226.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14135, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14134", + "ruleMessage": "User Logon", + "sourceIp": "52.167.226.99", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:48:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:48:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.226.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14134, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14133", + "ruleMessage": "User Logon", + "sourceIp": "40.70.27.21", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:48:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:48:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "40.70.27.21", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14133, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14132", + "ruleMessage": "User Logon", + "sourceIp": "52.167.226.99", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:48:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:48:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.226.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14132, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16758 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:47:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14122", + "ruleMessage": "User Logon", + "sourceIp": "52.167.226.99", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:46:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:46:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.167.226.99", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14122, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:48:04 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14121", + "ruleMessage": "User Logon", + "sourceIp": "20.44.103.204", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:46:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:46:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.103.204", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14121, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:48:05 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14120", + "ruleMessage": "User Logon", + "sourceIp": "20.44.103.204", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:46:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:46:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.103.204", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14120, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14119", + "ruleMessage": "User Logon", + "sourceIp": "20.44.103.204", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:46:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:46:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.103.204", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14119, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14118", + "ruleMessage": "User Logon", + "sourceIp": "20.44.103.204", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:46:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:46:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.103.204", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14118, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14117", + "ruleMessage": "User Logon", + "sourceIp": "20.44.103.204", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:46:33", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:46:33", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.103.204", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14117, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16757 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:46:10", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14115", + "ruleMessage": "User Logon", + "sourceIp": "20.44.103.204", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:45:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:45:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "20.44.103.204", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14115, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:46:34 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16756 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:41:40", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14112", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:40:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:40:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14112, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14111", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:40:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:40:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14111, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14109", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:40:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:40:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14109, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14108", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:40:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:40:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14108, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14107", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:40:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:40:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14107, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14105", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:40:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:40:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14105, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14106", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:40:36", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:40:36", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14106, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14104", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:40:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:40:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14104, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16755 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:40:09", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14097", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:39:24", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:39:24", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14097, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:39:44 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14096", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:39:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:39:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14096, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:39:45 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14094", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:39:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:39:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14094, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14093", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:39:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:39:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14093, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14092", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:39:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:39:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14092, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14090", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:39:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:39:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14090, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14091", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:39:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:39:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14091, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14089", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:38:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:38:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14089, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14087", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:38:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:38:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14087, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14086", + "ruleMessage": "User Logon", + "sourceIp": "52.250.65.41", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:38:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:38:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.250.65.41", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14086, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16754 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:38:39", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14076", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:37:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:37:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14076, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16753 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:37:09", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14069", + "ruleMessage": "User Logon", + "sourceIp": "52.150.13.208", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:36:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:36:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "52.150.13.208", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14069, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-18 03:37:54 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16752 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:09:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14065", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:08:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:08:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14065, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16751 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:08:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14057", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:07:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:07:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14057, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14056", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:07:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:07:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14056, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14055", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:07:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:07:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14055, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14054", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:07:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:07:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14054, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14053", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:07:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:07:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14053, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14052", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:07:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:07:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14052, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16750 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:06:08", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14049", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:05:12", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:05:12", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14049, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-17 23:07:19 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14048", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:05:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:05:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14048, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14047", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:05:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:05:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14047, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14046", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:04:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:04:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14046, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14045", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:04:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:04:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14045, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14043", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:04:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:04:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14043, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14042", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:04:42", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:04:42", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14042, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16749 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/18/2020 03:04:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14041", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/18/2020 03:03:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/18/2020 03:03:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14041, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-17 23:04:38 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16748 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/17/2020 12:42:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14030", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:42:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:42:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14030, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14029", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:42:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:42:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14029, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14027", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:41:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:41:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14027, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14026", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:41:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:41:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14026, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14025", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:41:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:41:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14025, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14024", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:41:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:41:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14024, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14023", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:41:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:41:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14023, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14022", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:41:14", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:41:14", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14022, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14021", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:41:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:41:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14021, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14020", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:41:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:41:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14020, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16747 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/17/2020 12:41:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14019", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/17/2020 12:40:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/17/2020 12:40:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14019, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16746 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 12:52:47", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14017", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:52:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:52:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14017, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16745 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 12:50:47", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14015", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:50:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:50:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14015, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16744 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 12:29:16", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14005", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:28:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:28:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14005, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|14006", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:28:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:28:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 14006, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16743 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 12:27:46", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13995", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:27:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:27:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13995, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13994", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:27:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:27:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13994, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13993", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:27:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:27:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13993, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13992", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:27:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:27:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13992, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13991", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:27:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:27:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13991, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13990", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:26:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:26:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13990, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13988", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:26:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:26:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13988, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16742 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 12:26:46", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13984", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 12:25:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 12:25:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13984, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16741 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 04:18:28", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13982", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 04:16:52", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 04:16:52", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13982, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16740 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 04:15:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13979", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 04:15:32", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 04:15:32", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13979, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16739 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 04:05:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13977", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 04:05:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 04:05:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13977, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16738 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 04:01:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13975", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 04:01:20", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 04:01:20", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13975, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16737 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 03:49:27", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13966", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 03:48:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 03:48:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13966, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16736 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 03:48:27", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13957", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 03:47:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 03:47:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13957, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13956", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 03:47:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 03:47:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13956, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13955", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 03:47:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 03:47:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13955, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13954", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 03:46:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 03:46:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13954, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16735 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 02:27:55", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13952", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 02:26:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 02:26:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13952, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16734 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 02:24:54", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13950", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 02:24:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 02:24:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13950, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16733 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 01:55:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13948", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 01:54:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 01:54:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13948, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16732 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 01:53:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13946", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 01:53:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 01:53:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13946, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16731 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 01:42:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13944", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 01:41:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 01:41:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13944, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16730 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 00:10:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13941", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:09:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:09:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13941, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13940", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:09:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:09:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13940, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13938", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:09:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:09:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13938, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13937", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:09:02", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:09:02", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13937, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13936", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:09:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:09:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13936, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16729 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 00:08:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13933", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:07:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:07:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13933, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-15 20:08:06 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13932", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:06:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:06:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13932, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-15 20:08:08 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13931", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:06:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:06:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13931, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16728 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/16/2020 00:05:20", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13917", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/16/2020 00:04:58", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/16/2020 00:04:58", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13917, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-15 20:06:36 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16727 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 23:41:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13908", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:41:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:41:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13908, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13906", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:41:01", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:41:01", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13906, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16726 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 23:40:49", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13905", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:39:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:39:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13905, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16725 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 23:37:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13892", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:36:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:36:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13892, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13891", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:36:18", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:36:18", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13891, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13890", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:36:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:36:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13890, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13889", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:36:03", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:36:03", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13889, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13888", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:35:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:35:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13888, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13887", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:35:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:35:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13887, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13886", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:35:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:35:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13886, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16724 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 23:36:19", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13884", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 23:34:43", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 23:34:43", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13884, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16723 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 22:52:47", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13882", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 22:51:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 22:51:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13882, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16722 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 22:48:47", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13880", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 22:48:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 22:48:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13880, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16721 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 19:41:41", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13877", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:40:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:40:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13877, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13876", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:40:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:40:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13876, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13874", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:40:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:40:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13874, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13873", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:40:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:40:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13873, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13872", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:40:45", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:40:45", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13872, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13871", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:40:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:40:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13871, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16720 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 19:40:11", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13866", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:39:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:39:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13866, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13865", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:39:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:39:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13865, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16719 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 19:38:41", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13860", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 19:38:04", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 19:38:04", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13860, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-15 15:39:26 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16718 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 15:34:32", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13857", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:33:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:33:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13857, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13856", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:33:48", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:33:48", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13856, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13855", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:33:46", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:33:46", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13855, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16717 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 15:15:02", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13844", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:14:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:14:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13844, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13843", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:14:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:14:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13843, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13842", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:14:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:14:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13842, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13841", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:13:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:13:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13841, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13840", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:13:54", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:13:54", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13840, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13839", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:13:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:13:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13839, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13838", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:13:44", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:13:44", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13838, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16716 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 15:13:32", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13834", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:12:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:12:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13834, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-15 11:13:46 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13833", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:12:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:12:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13833, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-15 11:13:47 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13832", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:12:10", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:12:10", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13832, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13830", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:12:07", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:12:07", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13830, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13829", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:12:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:12:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13829, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13828", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:12:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:12:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13828, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16715 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 15:07:01", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13822", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:06:29", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:06:29", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13822, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13821", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:06:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:06:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13821, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13820", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:06:05", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:06:05", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13820, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13819", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:05:51", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:05:51", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13819, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13818", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:05:35", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:05:35", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13818, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13817", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:05:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:05:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13817, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16714 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 15:04:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13814", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 15:04:08", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 15:04:08", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13814, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-15 11:05:29 - Test note" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16713 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 14:48:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13812", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 14:47:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 14:47:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13812, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13811", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 14:47:56", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 14:47:56", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13811, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16712 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 14:46:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13809", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 14:45:16", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 14:45:16", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13809, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13808", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 14:45:11", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 14:45:11", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13808, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13807", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 14:45:09", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 14:45:09", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13807, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16711 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/15/2020 14:43:31", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13805", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/15/2020 14:42:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/15/2020 14:42:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13805, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16710 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/14/2020 13:57:39", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13802", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:56:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:56:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13802, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13801", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:56:53", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:56:53", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13801, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13799", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:56:50", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:56:50", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13799, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13798", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:56:49", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:56:49", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13798, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13797", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:56:47", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:56:47", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13797, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16709 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/14/2020 13:56:09", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13792", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:55:34", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:55:34", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13792, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16708 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/14/2020 13:55:09", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13789", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:54:30", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:54:30", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13789, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-14 09:55:21 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13788", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:54:23", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:54:23", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13788, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "2020-09-14 09:55:22 - Test note" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13787", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:54:22", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:54:22", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13787, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13785", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:54:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:54:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13785, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13786", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:54:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:54:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13786, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13784", + "ruleMessage": "User Logon", + "sourceIp": "159.33.64.216", + "destIp": "22.22.24.6", + "lastTime": "09/14/2020 13:53:28", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/14/2020 13:53:28", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "159.33.64.216", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13784, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16707 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 23:48:09", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13774", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 23:47:31", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 23:47:31", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13774, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13773", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 23:47:26", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 23:47:26", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13773, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13772", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 23:47:13", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 23:47:13", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13772, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + }, + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13771", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 23:47:00", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 23:47:00", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13771, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16706 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 23:45:39", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13765", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 23:44:55", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 23:44:55", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13765, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16705 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 23:39:39", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13763", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 23:38:19", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 23:38:19", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13763, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16704 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 23:35:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13758", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 23:34:38", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 23:34:38", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13758, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16703 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 23:25:38", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13756", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 23:24:06", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 23:24:06", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13756, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16702 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 19:09:00", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13753", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 19:08:39", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 19:08:39", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13753, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16701 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 19:07:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13751", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 19:06:59", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 19:06:59", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13751, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16700 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 18:58:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13749", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 18:57:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 18:57:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13749, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16699 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 18:48:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13747", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 18:48:15", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 18:48:15", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13747, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16698 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 18:46:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13745", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 18:45:41", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 18:45:41", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13745, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16697 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 18:42:59", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13742", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 18:41:57", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 18:41:57", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13742, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16696 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 18:22:58", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13740", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 18:21:21", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 18:21:21", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13740, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + }, + { + "id": { + "value": 16695 + }, + "conditionType": 14, + "summary": "Signature ID 'User Logon' (306-11) match found", + "assignee": "NGCP", + "severity": 50, + "triggeredDate": "09/13/2020 15:44:53", + "acknowledgedDate": null, + "alarmName": "User Logon", + "acknowledgedUsername": null, + "filters": null, + "events": [ + { + "eventCount": 1, + "severity": 19, + "eventId": "144115188075855872|13729", + "ruleMessage": "User Logon", + "sourceIp": "184.160.14.179", + "destIp": "22.22.24.6", + "lastTime": "09/13/2020 15:44:25", + "eventSubType": "success", + "protocol": "n/a", + "command": "", + "subtype": "success", + "ipsId": { + "id": 144115188075855872 + }, + "cases": [], + "ruleName": "User Logon", + "destMac": "00:00:00:00:00:00", + "destPort": "n/a", + "firstTime": "09/13/2020 15:44:25", + "flowSessionId": 0, + "reviewed": "F", + "srcIp": "184.160.14.179", + "srcMac": "00:00:00:00:00:00", + "srcPort": "n/a", + "vlan": 0, + "sigId": "306-11", + "sigDesc": "A user logged on McAfee ESM", + "sigText": "", + "deviceName": "Local ESM", + "normId": 408944640, + "app": "Win32", + "srcUser": "NGCP", + "destUser": "", + "remedyCaseId": 0, + "remedyTicketTime": null, + "deviceTime": "", + "remedyAnalyst": "", + "sequence": 0, + "trusted": 2, + "sessionId": 0, + "asnGeoSrcId": "0", + "srcAsnGeo": "", + "asnGeoDestId": "0", + "destAsnGeo": "", + "normMessage": "Login", + "normDesc": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", + "archiveId": "0", + "srcZone": "", + "destZone": "", + "flowId": 0, + "alertId": 13729, + "srcGuid": "", + "destGuid": "", + "agg1Name": "", + "agg1Value": "0.00000000000000E+000", + "agg2Name": "", + "agg2Value": "0.00000000000000E+000", + "agg3Name": "", + "agg3Value": "0.00000000000000E+000", + "iocName": "", + "iocId": 0, + "customTypes": [ + { + "fieldId": 1, + "fieldName": "AppID", + "definedFieldNumber": 1, + "unformattedValue": "6209602145532878299", + "formatedValue": "Win32" + }, + { + "fieldId": 7, + "fieldName": "UserIDSrc", + "definedFieldNumber": 7, + "unformattedValue": "22018731010750406", + "formatedValue": "NGCP" + } + ], + "duration": "00:00:00.000", + "host": "", + "object": "", + "domain": "", + "note": "" + } + ], + "queryId": 0, + "percentAbove": 0, + "percentBelow": 0, + "useWatchlist": "F", + "actions": "1\u0013\u00146\u0013\u0014", + "iocName": null, + "iocId": 0, + "timeFilter": null, + "assigneeId": 1, + "alretRateMin": 0, + "alertRateCount": 0, + "offsetMinutes": 0, + "maximumConditionTriggerFrequency": 1, + "matchField": "DSIDSigID", + "matchValue": "306-11", + "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "escalatedDate": null, + "caseId": 0, + "caseName": null, + "description": null + } +] diff --git a/tests/local/test_alarm.py b/tests/local/test_alarm.py new file mode 100644 index 0000000..062a338 --- /dev/null +++ b/tests/local/test_alarm.py @@ -0,0 +1,31 @@ +import unittest +import json +from msiempy import Alarm, AlarmManager + +def get_testing_data(data="./tests/local/test-alarms.json"): + return json.load(open(data, "r")) + +class T(unittest.TestCase): + + def test_event_match(self): + + alarms = AlarmManager(get_testing_data()) + + res = alarms.search('52.167.119.2', fields='events') + + alarms.event_filters=[('srcIp','52.167.119.2')] + + for r in res : + self.assertTrue(alarms._event_match(r)) + + def test_alarm_match(self): + + alarms = AlarmManager(get_testing_data()) + + res = alarms.search('User Logon', fields='alarmName', ) + + alarms.alarm_filters=[('alarmName','User Logon')] + + for r in res : + self.assertTrue(alarms._alarm_match(r)) + From 4aadb5ed35d224699a0d99e4248ae71f62ede9f0 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Sun, 4 Oct 2020 16:56:36 -0400 Subject: [PATCH 11/14] Add Git flow to contribute.md --- CONTRIBUTING.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3432cec..2b0d7c5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -24,4 +24,18 @@ python3 -m pip install -r requirements.txt # Install module python3 ./setup.py install # Hack and pull request -``` \ No newline at end of file +``` + +### Git flow +- Commits to `master` branch are trigerring: + - Tests + upload coverage + - Generate documentation + publish to gh-pages + - PyPi realeases and create new tag **if the `__version__` has been bumped**. + - See [publish](https://github.com/mfesiem/msiempy/blob/master/.github/workflows/publish.yml) +- Commits to `develop` branch are trigerring: + - Generate documentation + publish to gh-pages under `test` folder + - See [publish-test-docs-only](https://github.com/mfesiem/msiempy/blob/master/.github/workflows/publish-test-docs-only.yml) +- Tests on Windows and MacOS are scheduled to run once a week. + - See [test](https://github.com/mfesiem/msiempy/blob/master/.github/workflows/test.yml) + +See the github actions workflows for more details: \ No newline at end of file From ec203c0f2a49c549885633aa83f2b2629b32bfc4 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Mon, 5 Oct 2020 15:34:57 -0400 Subject: [PATCH 12/14] Add another test for #83 --- tests/local/test_alarm.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/local/test_alarm.py b/tests/local/test_alarm.py index 062a338..767d13f 100644 --- a/tests/local/test_alarm.py +++ b/tests/local/test_alarm.py @@ -18,6 +18,11 @@ def test_event_match(self): for r in res : self.assertTrue(alarms._event_match(r)) + alarms.event_filters=[('srcIp','10.1.1.1')] + + for r in res : + self.assertFalse(alarms._event_match(r)) + def test_alarm_match(self): alarms = AlarmManager(get_testing_data()) From 2e66d7c7facdfe5bc3c04552f576a76b5c5a9288 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Mon, 5 Oct 2020 15:47:48 -0400 Subject: [PATCH 13/14] Internal API notes in the docs --- msiempy/device.py | 38 ++++++++++++++++++++++++++++---------- msiempy/event.py | 9 ++++++--- msiempy/watchlist.py | 2 ++ 3 files changed, 36 insertions(+), 13 deletions(-) diff --git a/msiempy/device.py b/msiempy/device.py index 472d2e0..c969f75 100644 --- a/msiempy/device.py +++ b/msiempy/device.py @@ -15,7 +15,10 @@ class ESM(NitroObject): - """Enterprise Security Manager interface""" + """ + Enterprise Security Manager interface. + Object do not contain data, it's a simple interface to data structures / values returned by the SIEM or helper methods. + """ def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -66,8 +69,11 @@ def status(self): - `backupLastTime` - `rulesAndSoftwareCheckEnabled` - `rulesAndSoftNextCheck` - - `rulesAndSoftLastCheck` - Other functions exist to return subsets of this data also. + - `rulesAndSoftLastCheck` + + Other functions exist to return subsets of this data also. + + .. note:: Uses internal API method `SYS_GETSYSINFO` """ status = self.nitro.request("get_sys_info") return self._map_status_int_fields(status) @@ -104,7 +110,8 @@ def ram(self): def backup_status(self): """ - Returns: Backup status and timestamps. + Returns: Backup status and timestamps. + Use `status()`. Example : ``` {'autoBackupEnabled': True, @@ -125,14 +132,16 @@ def backup_status(self): def callhome(self): """ - Returns: `True/False` if there is currently a callhome connection + Returns: `True/False` if there is currently a callhome connection. + Use `status()`. """ if self.status()["callHomeIp"]: return True def rules_status(self): """ - Returns: Rules autocheck status and timestamps. + Returns: Rules autocheck status and timestamps. + Use `status()`. Example: ``` { 'rulesAndSoftwareCheckEnabled': True @@ -161,8 +170,10 @@ def get_alerts(self, ds_id, flows=False): - `flows`: (`bool`) Also get flows from the device (default: False) Returns: `None` - # TODO: add test method in tests/auth/test_device.py + + .. note:: Uses internal API methods `IPS_GETALERTSNOW` and `IPS_GETFLOWSNOW` """ + # TODO add test method in `tests/auth/test_device.py` self.nitro.request("get_alerts_now", ds_id=ds_id) if flows: self.nitro.request("get_flows_now", ds_id=ds_id) @@ -170,15 +181,14 @@ def get_alerts(self, ds_id, flows=False): @lru_cache(maxsize=None) def recs(self): """ - Returns: `list(tuple())`, List of receivers name and id + Returns: `list(tuple())`, List of receivers name and id. """ rec_list = self.nitro.request("get_recs") return [(rec["name"], rec["id"]["id"]) for rec in rec_list] @lru_cache(maxsize=None) def _get_timezones(self): - """Gets list of timezones from the ESM. - Returns: Raw `string` from ESM + """Gets `list` of timezones from the ESM. """ return self.nitro.request("time_zones") @@ -259,6 +269,7 @@ def venmod_to_type_id(self, vendor, model): Returns: `str` Matching type_id or None if there is no match """ + # TODO Write a test method in `tests/auth/test_device.py` for venmod in self._get_ds_types(): if vendor == venmod[1]: if model == venmod[2]: @@ -317,8 +328,15 @@ class DevTree(NitroList): Exemple: ``` + # Quick python code to list all McAfee SIEM Datasources + from msiempy.device import DevTree + devtree = DevTree() + print("All Datasources") + print(devtree.get_text(fields=["parent_name", "name", "ds_id"])) ``` + + .. note:: Uses internal API methods such as `GRP_GETVIRTUALGROUPIPSLISTDATA` to assemble `DevTree` object. """ def __init__(self, *args, **kwargs): diff --git a/msiempy/event.py b/msiempy/event.py index da638ed..27d6c4f 100644 --- a/msiempy/event.py +++ b/msiempy/event.py @@ -1359,8 +1359,9 @@ def __setitem__(self, key, value): def get_id(self): """ - Get the event ID. - Try to return `e['Alert.IPSIDAlertID']` or e['eventId']` or concatenate `e['ipsId']['id']` and `e['alertId']` depending of the Event dictionnary keys. + Get the event ID. + + Return the full event ID or `None`. """ the_id = ( self.data["Alert.IPSIDAlertID"] @@ -1384,7 +1385,9 @@ def clear_notes(self): def set_note(self, note, no_date=False): """ - Set the event's note. Desctructive action. + Set the event's note. Desctructive action. + + .. note:: Uses the internal API method `IPS_ADDALERTNOTE` """ the_id = self.get_id() diff --git a/msiempy/watchlist.py b/msiempy/watchlist.py index 461e797..d490728 100644 --- a/msiempy/watchlist.py +++ b/msiempy/watchlist.py @@ -193,6 +193,8 @@ def load_values(self): """ Load Watchlist values. Raises: `KeyError` if watchlist invalid. + + .. note:: Uses the internal API method `SYS_GETWATCHLISTDETAILS` """ wl_details = self.nitro.request("get_watchlist_values", id=self.data["id"]) From 894b7d706affd066bf6282056789fa466b4c3ae1 Mon Sep 17 00:00:00 2001 From: tristanlatr Date: Mon, 5 Oct 2020 15:52:48 -0400 Subject: [PATCH 14/14] Bump version 0.3.4 --- msiempy/__version__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msiempy/__version__.py b/msiempy/__version__.py index 3471a32..97d08c4 100644 --- a/msiempy/__version__.py +++ b/msiempy/__version__.py @@ -2,7 +2,7 @@ Project version and meta informations. """ -__version__ = "0.3.4.dev2" +__version__ = "0.3.4" __title__ = "msiempy" __description__ = "msiempy - McAfee SIEM API Python wrapper" __author__ = "andywalden, tristanlatr, mathieubeland, and other contributors. "