From 24e9baee0841047170cffa1ef5b8bd23ba5401e0 Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Tue, 15 Oct 2024 07:55:33 +1030
Subject: [PATCH] crowdstrike: add shims to recover deprecated fields (#11282)

The documentation for the deprecation of fields indicates the following
correspondences:

old	                              new
is_synthetic_quarantine_disposition   pattern_disposition* to identify quarantined files
has_script_or_module_ioc              ioc_context
ioc_values                            ioc_value

However, there is no other information relating to how these correspond
with each other.

By inspection of documents from an alerts stream, we can see that
pattern_disposition_details contains a quarantine_file boolean. This,
with the text in the deprecation notice, hints that we can use this
field to get the is_synthetic_quarantine_disposition. The ioc_context
field contains an array of object with a type property which in the
examples I have available include (only) "module", hinting that this can
be used to detect the state corresponding to has_script_or_module_ioc.
Finally, ioc_value fields are sprinkled around the documents, so collect them
into ioc_values.

The test case is derived from the first case, but with deprecated fields
removed.
---
 packages/crowdstrike/changelog.yml            |   5 +
 .../alert/_dev/test/pipeline/test-alert.log   |   2 +
 .../pipeline/test-alert.log-expected.json     | 661 ++++++++++++++++++
 .../elasticsearch/ingest_pipeline/default.yml |  53 ++
 .../data_stream/alert/sample_event.json       |  15 +-
 packages/crowdstrike/docs/README.md           |  15 +-
 packages/crowdstrike/manifest.yml             |   2 +-
 7 files changed, 740 insertions(+), 13 deletions(-)

diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml
index 3dc9f1f73ac..80189d40cd8 100644
--- a/packages/crowdstrike/changelog.yml
+++ b/packages/crowdstrike/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.43.0"
+  changes:
+    - description: Recover Crowdstrike-deprecated field values for `is_synthetic_quarantine_disposition`, `has_script_or_module_ioc` and `ioc_values`.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11282
 - version: "1.42.2"
   changes:
     - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines.
diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log
index 8a51b2459f9..cbff24b0509 100644
--- a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log
+++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log
@@ -1,3 +1,5 @@
 {"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!","KZd)iK2;s\\ckQl_P*d=Mo?^a7/JKc\\*L48169!7I5;0\\<H^hNG\"ZQ3#U3\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\"Ql@Q!!!$!rr","N6=Ks_B9Bncmur)?\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\:#mb;BM\\L[g!\\F*M!!*'!","N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N","N6B%s!\\k)ed$F6>a%iM\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\"b&m!<<'","N6CU&`%VT\"d$=67=h\\I)/BJH:8-lS!.%\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"has_script_or_module_ioc":"true","id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"ioc_values":[],"is_synthetic_quarantine_disposition":true,"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"}
 {"agent_id":"38293534662e48c99f33c61631b3536d","aggregate_id":"aggind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","cid":"4446934rf3fdb64ec3056ddfb96e","composite_id":"874694c2ff8c43fdb64ef3056ddfb96d:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","confidence":80,"context_timestamp":"2024-08-16T18:43:44.242Z","crawled_timestamp":"2024-08-16T18:49:02.798354466Z","created_timestamp":"2024-08-16T18:45:02.987127397Z","data_domains":["Identity"],"description":"A user denied a policy identity verification request","display_name":"Identity verification denied","end_time":"2024-08-16T18:43:44.242Z","falcon_host_link":"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a","id":"ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","idp_policy_mfa_factor_type":"32769","idp_policy_mfa_provider":"14","idp_policy_rule_id":"1B82F2DE-2A08-49E0-8F85-AD46996F9A65","idp_policy_rule_name":"admin - RDP Access to TIER-0 Servers","name":"IdpPolicyIdentityVerificationDenied","objective":"Gain Access","pattern_id":51143,"poly_id":"AAB3RpTC74xD_bZOwwVt37ltWwicqVJrn1DHb_UVfrn1QAAATiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==","product":"idp","scenario":"suspicious_activity","seconds_to_resolved":0,"seconds_to_triaged":0,"severity":79,"severity_name":"High","show_in_ui":true,"source_account_azure_id":"65ddx-c454-45f9-9034-Fdf34353","source_account_domain":"NET.example.com","source_account_name":"admin.example","source_account_object_sid":"S-14-5424-21-dfaf3-234343-3434-1567733","source_account_sam_account_name":"admin.abcdef","source_account_upn":"admin.abcdef@example.com","source_endpoint_account_object_guid":"E436B3F0-078C-4629-9437-D3E3169147C0","source_endpoint_address_ip4":"81.2.69.144","source_endpoint_host_name":"ABDC454.net.example.com","source_endpoint_ip_address":"81.2.69.144","source_endpoint_sensor_id":"38293534662e48c99f33c61631b3536d","source_products":["Falcon Identity Protection"],"source_vendors":["CrowdStrike"],"start_time":"2024-08-19T18:43:44.242Z","status":"new","tactic":"Credential Access","tactic_id":"TA0006","technique":"Brute Force","technique_id":"T1110","tags":["falcon_complete"],"target_account_name":"HFJFJFFFFFFF$","target_endpoint_account_object_guid":"AAAAAAAA-0000-FFFFF-000000-A302EFCC8E6E","target_endpoint_account_object_sid":"S-1-5-21-746137067-1844237615-1801674531-298236","target_endpoint_host_name":"GH787.net.example.com","target_endpoint_sensor_id":"ac89a368e77a4fa5837b53c7f11fc9e7","timestamp":"2024-08-19T18:44:01.1Z","type":"idp-user-endpoint-app-info","updated_timestamp":"2024-08-19T18:49:02.798344752Z","user_name":"admin.abcdef","activity_browser":"Edge 126.0.0","activity_device":"LAPTOP-AP7299QV","activity_os":"Windows","active_directory_authentication_method":"5","activity_id":"2A8A7C96-0F17-412C-8105-94542784E00D","alert_attributes":"0","location_country_code":"US","location_latitude_as_int":340726,"location_longitude_as_int":-1182610,"model_anomaly_indicators":["ACCOUNT_IMPOSSIBLE_VELOCITY","ENVIRONMENT_UNUSUAL_IP","ENVIRONMENT_UNUSUAL_ISP_DOMAIN","ISP_DATACENTER_CLASSIFICATION"],"ldap_search_query_attack":"16","protocol_anomaly_classification":"1","source_account_object_guid":"9F2CE16C-4A78-42E6-8565-87147707EE79","source_endpoint_account_object_sid":"S-1-5-21-111111111-2222222-1417001333-101158","source_endpoint_ip_reputation":"128","source_ip_isp_classification":"9","source_ip_isp_domain":"sioru.com","target_domain_controller_host_name":"APINTAL19DC01","target_domain_controller_object_guid":"45A24DB7-6CD3-48C5-974F-A97159E7E2B2","target_domain_controller_object_sid":"S-1-5-21-111111111-2222222-1417001333-85512","target_service_access_identifier":"HOST/admin.example.com"}
 {"aggregate_id":"aggind:4444934rf3fdb64ec2059dmmb96e:5876E98M-F91K-48AW-8FFC-1191C663A1E9","agent_id":"58293534772e48c99f33c61631b3536d","cid":"4446934rf3fdb64ec3056ddfb96e","context_timestamp":"2024-08-19T18:43:44.242Z","composite_id":"874594c2ff8c23fdf64ef3086ddfb03e:ind:4441934rf3mmb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9","crawled_timestamp":"2024-08-19T18:49:02.798354466Z","created_timestamp":"2024-08-19T18:45:02.987127397Z","data_domains":["Identity"],"description":"Auserdeniedapolicyidentityverificationrequest","display_name":"Identityverificationdenied","end_time":"2024-08-19T18:43:44.242Z","falcon_host_link":"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a","id":"ind:4446934rf3fdb64ec3056ddfb96e:87934F-M00B-48CC-0AAC-dfafd3429","idp_policy_mfa_factor_type":"42669","idp_policy_mfa_provider":"11","idp_policy_rule_id":"123324-343-4dfa9E0-8F85-dfaa3242","idp_policy_rule_name":"admin-RDPAccesstoTIER-0Servers","name":"IdpPolicyIdentityVerificationDenied","objective":"GainAccess","pattern_id":45897,"poly_id":"MJdfafdB3RpTC74xD_bZOwwVt37erewrewdWwicqVJrn1DHb_UVfrn1QTiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==","product":"idp","scenario":"suspicious_activity","seconds_to_resolved":0,"seconds_to_triaged":0,"severity":79,"severity_name":"Medium","show_in_ui":true,"source_account_azure_id":"65ddx-c454-324d-9034-Fdf34353","source_account_domain":"BCD.example.com","source_account_name":"admin.example","source_account_object_sid":"S-14-5424-21-dfaf3-234343-3434-1117733","source_account_sam_account_name":"admin.abcdef","source_account_upn":"admin.abcdef@example.com","source_endpoint_account_object_guid":"FDHJJ343-098C-4629-9437-DD3424GHJ","source_endpoint_address_ip4":"81.2.69.144","source_endpoint_host_name":"ABDC454.net.example.com","source_endpoint_ip_address":"81.2.69.144","source_endpoint_sensor_id":"38293523261gh48c99ffd234c6190123536e","source_products":["FalconIdentityProtection"],"source_vendors":["CrowdStrike"],"start_time":"2024-08-19T18:43:44.242Z","status":"new","tactic":"CredentialAccess","tactic_id":"TA0006","technique":"BruteForce","technique_id":"T1110","tags":["falcon_complete"],"target_account_name":"HFJFJFFFFFFF$","target_endpoint_account_object_guid":"AAAAAAAA-0000-FFFFF-000000-A302EFCC8M4536","target_endpoint_account_object_sid":"S-1-5-21-HG43242JJ-1844237615-18dfa1674531-298236","target_endpoint_host_name":"GH787.abc.example.com","target_endpoint_sensor_id":"afdsasf3423432nndv3432v","timestamp":"2024-08-19T18:44:01.1Z","type":"idp-user-endpoint-app-info","updated_timestamp":"2024-08-19T18:49:02.798344752Z","user_name":"admin.abcdef","activity_browser":"Edge126.0.0","activity_device":"LAPTOP-ADFVEJM234V","activity_os":"Windows","active_directory_authentication_method":"4","activity_id":"3A7H7C00-FFF2344-23FFFF-9199905-91245754E10099D","alert_attributes":"0","location_country_code":"US","location_latitude_as_int":320316,"location_longitude_as_int":-12729080,"model_anomaly_indicators":["ACCOUNT_IMPOSSIBLE_VELOCITY","ENVIRONMENT_UNUSUAL_IP","ENVIRONMENT_UNUSUAL_ISP_DOMAIN","ISP_DATACENTER_CLASSIFICATION"],"ldap_search_query_attack":"16","protocol_anomaly_classification":"1","source_account_object_guid":"78HF9842-HGG5-324F-9565-GJD47324","source_endpoint_account_object_sid":"S-1-4-21-111111111-2222222-14171121333-1045999","source_endpoint_ip_reputation":"118","source_ip_isp_classification":"8","source_ip_isp_domain":"abc.com","target_domain_controller_host_name":"GHPOTAL12578","target_domain_controller_object_guid":"59B24AA7-4GH8-f7H0-994F-B90159E7M2K1","target_domain_controller_object_sid":"S-2-8-21-333333-2222222-3431-95511","target_service_access_identifier":"HOST/root.demo.com"}
+{"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!","KZd)iK2;s\\ckQl_P*d=Mo?^a7/JKc\\*L48169!7I5;0\\<H^hNG\"ZQ3#U3\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\"Ql@Q!!!$!rr","N6=Ks_B9Bncmur)?\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\:#mb;BM\\L[g!\\F*M!!*'!","N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N","N6B%s!\\k)ed$F6>a%iM\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\"b&m!<<'","N6CU&`%VT\"d$=67=h\\I)/BJH:8-lS!.%\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"ioc_values":[],"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"}
+{"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!","KZd)iK2;s\\ckQl_P*d=Mo?^a7/JKc\\*L48169!7I5;0\\<H^hNG\"ZQ3#U3\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\"Ql@Q!!!$!rr","N6=Ks_B9Bncmur)?\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\:#mb;BM\\L[g!\\F*M!!*'!","N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N","N6B%s!\\k)ed$F6>a%iM\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\"b&m!<<'","N6CU&`%VT\"d$=67=h\\I)/BJH:8-lS!.%\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"}
diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
index c3b4d7d0e5c..8e23e46ce81 100644
--- a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
+++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
@@ -125,6 +125,9 @@
                             "type": "module"
                         }
                     ],
+                    "ioc_values": [
+                        "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd"
+                    ],
                     "is_synthetic_quarantine_disposition": true,
                     "local_process_id": "17076",
                     "logon_domain": "ABSYS",
@@ -716,6 +719,664 @@
             "user": {
                 "name": "admin.abcdef"
             }
+        },
+        {
+            "@timestamp": "2023-11-03T18:00:22.328Z",
+            "crowdstrike": {
+                "alert": {
+                    "agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b",
+                    "aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
+                    "alleged_filetype": "exe",
+                    "cid": "92012896127c4a948236ba7601b886b0",
+                    "cloud_indicator": false,
+                    "cmdline": "\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"",
+                    "composite_id": "92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                    "confidence": 10,
+                    "context_timestamp": "2023-11-03T18:00:31.000Z",
+                    "control_graph_id": "ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778",
+                    "crawl_edge_ids": {
+                        "Sensor": [
+                            "KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N",
+                            "KZcZA__;?\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!",
+                            "KZd)iK2;s\\ckQl_P*d=Mo?^a7/JKc\\*L48169!7I5;0\\<H^hNG\"ZQ3#U3\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\"Ql@Q!!!$!rr",
+                            "N6=Ks_B9Bncmur)?\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\:#mb;BM\\L[g!\\F*M!!*'!",
+                            "N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N",
+                            "N6B%s!\\k)ed$F6>a%iM\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\"b&m!<<'",
+                            "N6CU&`%VT\"d$=67=h\\I)/BJH:8-lS!.%\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!",
+                            "N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr",
+                            "N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'",
+                            "N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"
+                        ]
+                    },
+                    "crawl_vertex_ids": {
+                        "Sensor": [
+                            "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
+                            "ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
+                            "ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                            "mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
+                            "mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33",
+                            "pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135",
+                            "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876",
+                            "pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993",
+                            "quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"
+                        ]
+                    },
+                    "crawled_timestamp": "2023-11-03T19:00:23.985Z",
+                    "created_timestamp": "2023-11-03T18:01:23.995Z",
+                    "data_domains": [
+                        "Endpoint"
+                    ],
+                    "description": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.",
+                    "device": {
+                        "agent_load_flags": 0,
+                        "agent_local_time": "2023-10-12T03:45:57.753Z",
+                        "agent_version": "7.04.17605.0",
+                        "bios_manufacturer": "ABC",
+                        "bios_version": "F8CN42WW(V2.05)",
+                        "cid": "92012896127c4a948236ba7601b886b0",
+                        "config_id_base": "65994763",
+                        "config_id_build": "17605",
+                        "config_id_platform": 3,
+                        "external_ip": "81.2.69.142",
+                        "first_seen": "2023-04-07T09:36:36.000Z",
+                        "groups": [
+                            "18704e21288243b58e4c76266d38caaf"
+                        ],
+                        "hostinfo": {
+                            "active_directory_dn_display": [
+                                "WinComputers",
+                                "WinComputers\\ABC"
+                            ],
+                            "domain": "ABC.LOCAL"
+                        },
+                        "hostname": "ABC709-1175",
+                        "id": "2ce412d17b334ad4adc8c1c54dbfec4b",
+                        "last_seen": "2023-11-03T17:51:42.000Z",
+                        "local_ip": "81.2.69.142",
+                        "mac_address": "AB-21-48-61-05-B2",
+                        "machine_domain": "ABC.LOCAL",
+                        "major_version": "10",
+                        "minor_version": "0",
+                        "modified_timestamp": "2023-11-03T17:53:43.000Z",
+                        "os_version": "Windows11",
+                        "ou": [
+                            "ABC",
+                            "WinComputers"
+                        ],
+                        "platform_id": "0",
+                        "platform_name": "Windows",
+                        "product_type": "1",
+                        "product_type_desc": "Workstation",
+                        "site_name": "Default-First-Site-Name",
+                        "status": "normal",
+                        "system_manufacturer": "LENOVO",
+                        "system_product_name": "20VE"
+                    },
+                    "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                    "filename": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                    "filepath": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                    "grandparent_details": {
+                        "cmdline": "C:\\Windows\\system32\\userinit.exe",
+                        "filename": "userinit.exe",
+                        "filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe",
+                        "local_process_id": "4328",
+                        "md5": "b07f77fd3f9828b2c9d61f8a36609741",
+                        "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135",
+                        "process_id": "392734873135",
+                        "sha256": "caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33",
+                        "timestamp": "2023-10-30T16:49:19.000Z",
+                        "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
+                        "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                        "user_name": "yuvraj.mahajan"
+                    },
+                    "has_script_or_module_ioc": true,
+                    "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                    "indicator_id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                    "ioc_context": [
+                        {
+                            "ioc_description": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                            "ioc_source": "library_load",
+                            "ioc_type": "hash_sha256",
+                            "ioc_value": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "md5": "cdf9cfebb400ce89d5b6032bfcdc693b",
+                            "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "type": "module"
+                        }
+                    ],
+                    "ioc_values": [
+                        "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd"
+                    ],
+                    "is_synthetic_quarantine_disposition": true,
+                    "local_process_id": "17076",
+                    "logon_domain": "ABSYS",
+                    "md5": "cdf9cfebb400ce89d5b6032bfcdc693b",
+                    "name": "PrewittPupAdwareSensorDetect-Lowest",
+                    "objective": "FalconDetectionMethod",
+                    "parent_details": {
+                        "cmdline": "C:\\WINDOWS\\Explorer.EXE",
+                        "filename": "explorer.exe",
+                        "filepath": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe",
+                        "local_process_id": "1040",
+                        "md5": "8cc3fcdd7d52d2d5221303c213e044ae",
+                        "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876",
+                        "process_id": "392736520876",
+                        "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
+                        "timestamp": "2023-11-03T18:00:32.000Z",
+                        "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
+                        "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                        "user_name": "mohit.jha"
+                    },
+                    "parent_process_id": "392736520876",
+                    "pattern_disposition": 2176,
+                    "pattern_disposition_description": "Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.",
+                    "pattern_disposition_details": {
+                        "blocking_unsupported_or_disabled": false,
+                        "bootup_safeguard_enabled": false,
+                        "critical_process_disabled": false,
+                        "detect": false,
+                        "fs_operation_blocked": false,
+                        "handle_operation_downgraded": false,
+                        "inddet_mask": false,
+                        "indicator": false,
+                        "kill_action_failed": false,
+                        "kill_parent": false,
+                        "kill_process": false,
+                        "kill_subprocess": false,
+                        "operation_blocked": false,
+                        "policy_disabled": false,
+                        "process_blocked": true,
+                        "quarantine_file": true,
+                        "quarantine_machine": false,
+                        "registry_operation_blocked": false,
+                        "rooting": false,
+                        "sensor_only": false,
+                        "suspend_parent": false,
+                        "suspend_process": false
+                    },
+                    "pattern_id": "5761",
+                    "platform": "Windows",
+                    "poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==",
+                    "process_end_time": "2023-11-03T18:00:21.000Z",
+                    "process_id": "399748687993",
+                    "process_start_time": "2023-11-03T18:00:13.000Z",
+                    "product": "epp",
+                    "quarantined_files": [
+                        {
+                            "filename": "\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                            "id": "2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "state": "quarantined"
+                        }
+                    ],
+                    "scenario": "NGAV",
+                    "severity": 30,
+                    "sha1": "0000000000000000000000000000000000000000",
+                    "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                    "show_in_ui": true,
+                    "source_products": [
+                        "FalconInsight"
+                    ],
+                    "source_vendors": [
+                        "CrowdStrike"
+                    ],
+                    "status": "new",
+                    "tactic": "MachineLearning",
+                    "tactic_id": "CSTA0004",
+                    "technique": "Adware/PUP",
+                    "technique_id": "CST0000",
+                    "timestamp": "2023-11-03T18:00:22.328Z",
+                    "tree_id": "1931778",
+                    "tree_root": "38687993",
+                    "triggering_process_graph_id": "pid:2ce4124ad4adc8c1c54dbfec4b:399748687993",
+                    "type": "ldt",
+                    "updated_timestamp": "2023-11-03T19:00:23.985Z",
+                    "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                    "user_name": "mohit.jha"
+                }
+            },
+            "device": {
+                "id": "2ce412d17b334ad4adc8c1c54dbfec4b",
+                "manufacturer": "LENOVO",
+                "model": {
+                    "name": "20VE"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                "kind": "alert",
+                "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\<H^hNG\\\"ZQ3#U3\\\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6>a%iM\\\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\\\"b&m!<<'\",\"N6CU&`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\\\"<_/?I'[##WMh'H[Rcl+!!<<'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\\\"d.&=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}",
+                "severity": 30
+            },
+            "file": {
+                "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                "path": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe"
+            },
+            "host": {
+                "domain": "ABC.LOCAL",
+                "hostname": "ABC709-1175",
+                "ip": [
+                    "81.2.69.142"
+                ],
+                "mac": [
+                    "AB-21-48-61-05-B2"
+                ],
+                "os": {
+                    "full": "Windows11",
+                    "platform": "Windows",
+                    "type": "windows"
+                }
+            },
+            "message": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.",
+            "process": {
+                "end": "2023-11-03T18:00:21.000Z",
+                "executable": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                "hash": {
+                    "md5": "cdf9cfebb400ce89d5b6032bfcdc693b",
+                    "sha1": "0000000000000000000000000000000000000000",
+                    "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd"
+                },
+                "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                "parent": {
+                    "command_line": "C:\\WINDOWS\\Explorer.EXE",
+                    "executable": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe",
+                    "hash": {
+                        "md5": "8cc3fcdd7d52d2d5221303c213e044ae",
+                        "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4"
+                    },
+                    "name": "explorer.exe",
+                    "pid": 392736520876
+                },
+                "pid": 399748687993,
+                "start": "2023-11-03T18:00:13.000Z",
+                "user": {
+                    "id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                    "name": "mohit.jha"
+                }
+            },
+            "related": {
+                "hash": [
+                    "ABC709-1175",
+                    "b07f77fd3f9828b2c9d61f8a36609741",
+                    "cdf9cfebb400ce89d5b6032bfcdc693b",
+                    "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                    "8cc3fcdd7d52d2d5221303c213e044ae",
+                    "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
+                    "0000000000000000000000000000000000000000"
+                ],
+                "hosts": [
+                    "ABC.LOCAL"
+                ],
+                "ip": [
+                    "81.2.69.142"
+                ],
+                "user": [
+                    "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
+                    "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                    "yuvraj.mahajan",
+                    "mohit.jha"
+                ]
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "threat": {
+                "framework": "CrowdStrike Falcon Detections Framework",
+                "tactic": {
+                    "id": [
+                        "CSTA0004"
+                    ],
+                    "name": [
+                        "MachineLearning"
+                    ]
+                },
+                "technique": {
+                    "id": [
+                        "CST0000"
+                    ],
+                    "name": [
+                        "Adware/PUP"
+                    ]
+                }
+            },
+            "user": {
+                "id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                "name": "mohit.jha"
+            }
+        },
+        {
+            "@timestamp": "2023-11-03T18:00:22.328Z",
+            "crowdstrike": {
+                "alert": {
+                    "agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b",
+                    "aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
+                    "alleged_filetype": "exe",
+                    "cid": "92012896127c4a948236ba7601b886b0",
+                    "cloud_indicator": false,
+                    "cmdline": "\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"",
+                    "composite_id": "92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                    "confidence": 10,
+                    "context_timestamp": "2023-11-03T18:00:31.000Z",
+                    "control_graph_id": "ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778",
+                    "crawl_edge_ids": {
+                        "Sensor": [
+                            "KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N",
+                            "KZcZA__;?\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!",
+                            "KZd)iK2;s\\ckQl_P*d=Mo?^a7/JKc\\*L48169!7I5;0\\<H^hNG\"ZQ3#U3\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\"Ql@Q!!!$!rr",
+                            "N6=Ks_B9Bncmur)?\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\:#mb;BM\\L[g!\\F*M!!*'!",
+                            "N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N",
+                            "N6B%s!\\k)ed$F6>a%iM\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\"b&m!<<'",
+                            "N6CU&`%VT\"d$=67=h\\I)/BJH:8-lS!.%\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!",
+                            "N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr",
+                            "N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'",
+                            "N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"
+                        ]
+                    },
+                    "crawl_vertex_ids": {
+                        "Sensor": [
+                            "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
+                            "ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778",
+                            "ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                            "mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
+                            "mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33",
+                            "pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135",
+                            "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876",
+                            "pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993",
+                            "quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"
+                        ]
+                    },
+                    "crawled_timestamp": "2023-11-03T19:00:23.985Z",
+                    "created_timestamp": "2023-11-03T18:01:23.995Z",
+                    "data_domains": [
+                        "Endpoint"
+                    ],
+                    "description": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.",
+                    "device": {
+                        "agent_load_flags": 0,
+                        "agent_local_time": "2023-10-12T03:45:57.753Z",
+                        "agent_version": "7.04.17605.0",
+                        "bios_manufacturer": "ABC",
+                        "bios_version": "F8CN42WW(V2.05)",
+                        "cid": "92012896127c4a948236ba7601b886b0",
+                        "config_id_base": "65994763",
+                        "config_id_build": "17605",
+                        "config_id_platform": 3,
+                        "external_ip": "81.2.69.142",
+                        "first_seen": "2023-04-07T09:36:36.000Z",
+                        "groups": [
+                            "18704e21288243b58e4c76266d38caaf"
+                        ],
+                        "hostinfo": {
+                            "active_directory_dn_display": [
+                                "WinComputers",
+                                "WinComputers\\ABC"
+                            ],
+                            "domain": "ABC.LOCAL"
+                        },
+                        "hostname": "ABC709-1175",
+                        "id": "2ce412d17b334ad4adc8c1c54dbfec4b",
+                        "last_seen": "2023-11-03T17:51:42.000Z",
+                        "local_ip": "81.2.69.142",
+                        "mac_address": "AB-21-48-61-05-B2",
+                        "machine_domain": "ABC.LOCAL",
+                        "major_version": "10",
+                        "minor_version": "0",
+                        "modified_timestamp": "2023-11-03T17:53:43.000Z",
+                        "os_version": "Windows11",
+                        "ou": [
+                            "ABC",
+                            "WinComputers"
+                        ],
+                        "platform_id": "0",
+                        "platform_name": "Windows",
+                        "product_type": "1",
+                        "product_type_desc": "Workstation",
+                        "site_name": "Default-First-Site-Name",
+                        "status": "normal",
+                        "system_manufacturer": "LENOVO",
+                        "system_product_name": "20VE"
+                    },
+                    "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                    "filename": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                    "filepath": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                    "grandparent_details": {
+                        "cmdline": "C:\\Windows\\system32\\userinit.exe",
+                        "filename": "userinit.exe",
+                        "filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe",
+                        "local_process_id": "4328",
+                        "md5": "b07f77fd3f9828b2c9d61f8a36609741",
+                        "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135",
+                        "process_id": "392734873135",
+                        "sha256": "caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33",
+                        "timestamp": "2023-10-30T16:49:19.000Z",
+                        "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
+                        "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                        "user_name": "yuvraj.mahajan"
+                    },
+                    "has_script_or_module_ioc": true,
+                    "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                    "indicator_id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                    "ioc_context": [
+                        {
+                            "ioc_description": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                            "ioc_source": "library_load",
+                            "ioc_type": "hash_sha256",
+                            "ioc_value": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "md5": "cdf9cfebb400ce89d5b6032bfcdc693b",
+                            "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "type": "module"
+                        }
+                    ],
+                    "ioc_values": [
+                        "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd"
+                    ],
+                    "is_synthetic_quarantine_disposition": true,
+                    "local_process_id": "17076",
+                    "logon_domain": "ABSYS",
+                    "md5": "cdf9cfebb400ce89d5b6032bfcdc693b",
+                    "name": "PrewittPupAdwareSensorDetect-Lowest",
+                    "objective": "FalconDetectionMethod",
+                    "parent_details": {
+                        "cmdline": "C:\\WINDOWS\\Explorer.EXE",
+                        "filename": "explorer.exe",
+                        "filepath": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe",
+                        "local_process_id": "1040",
+                        "md5": "8cc3fcdd7d52d2d5221303c213e044ae",
+                        "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876",
+                        "process_id": "392736520876",
+                        "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
+                        "timestamp": "2023-11-03T18:00:32.000Z",
+                        "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
+                        "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                        "user_name": "mohit.jha"
+                    },
+                    "parent_process_id": "392736520876",
+                    "pattern_disposition": 2176,
+                    "pattern_disposition_description": "Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.",
+                    "pattern_disposition_details": {
+                        "blocking_unsupported_or_disabled": false,
+                        "bootup_safeguard_enabled": false,
+                        "critical_process_disabled": false,
+                        "detect": false,
+                        "fs_operation_blocked": false,
+                        "handle_operation_downgraded": false,
+                        "inddet_mask": false,
+                        "indicator": false,
+                        "kill_action_failed": false,
+                        "kill_parent": false,
+                        "kill_process": false,
+                        "kill_subprocess": false,
+                        "operation_blocked": false,
+                        "policy_disabled": false,
+                        "process_blocked": true,
+                        "quarantine_file": true,
+                        "quarantine_machine": false,
+                        "registry_operation_blocked": false,
+                        "rooting": false,
+                        "sensor_only": false,
+                        "suspend_parent": false,
+                        "suspend_process": false
+                    },
+                    "pattern_id": "5761",
+                    "platform": "Windows",
+                    "poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==",
+                    "process_end_time": "2023-11-03T18:00:21.000Z",
+                    "process_id": "399748687993",
+                    "process_start_time": "2023-11-03T18:00:13.000Z",
+                    "product": "epp",
+                    "quarantined_files": [
+                        {
+                            "filename": "\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                            "id": "2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                            "state": "quarantined"
+                        }
+                    ],
+                    "scenario": "NGAV",
+                    "severity": 30,
+                    "sha1": "0000000000000000000000000000000000000000",
+                    "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                    "show_in_ui": true,
+                    "source_products": [
+                        "FalconInsight"
+                    ],
+                    "source_vendors": [
+                        "CrowdStrike"
+                    ],
+                    "status": "new",
+                    "tactic": "MachineLearning",
+                    "tactic_id": "CSTA0004",
+                    "technique": "Adware/PUP",
+                    "technique_id": "CST0000",
+                    "timestamp": "2023-11-03T18:00:22.328Z",
+                    "tree_id": "1931778",
+                    "tree_root": "38687993",
+                    "triggering_process_graph_id": "pid:2ce4124ad4adc8c1c54dbfec4b:399748687993",
+                    "type": "ldt",
+                    "updated_timestamp": "2023-11-03T19:00:23.985Z",
+                    "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                    "user_name": "mohit.jha"
+                }
+            },
+            "device": {
+                "id": "2ce412d17b334ad4adc8c1c54dbfec4b",
+                "manufacturer": "LENOVO",
+                "model": {
+                    "name": "20VE"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
+                "kind": "alert",
+                "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\<H^hNG\\\"ZQ3#U3\\\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6>a%iM\\\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\\\"b&m!<<'\",\"N6CU&`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\\\"<_/?I'[##WMh'H[Rcl+!!<<'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\\\"d.&=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}",
+                "severity": 30
+            },
+            "file": {
+                "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                "path": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe"
+            },
+            "host": {
+                "domain": "ABC.LOCAL",
+                "hostname": "ABC709-1175",
+                "ip": [
+                    "81.2.69.142"
+                ],
+                "mac": [
+                    "AB-21-48-61-05-B2"
+                ],
+                "os": {
+                    "full": "Windows11",
+                    "platform": "Windows",
+                    "type": "windows"
+                }
+            },
+            "message": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.",
+            "process": {
+                "end": "2023-11-03T18:00:21.000Z",
+                "executable": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                "hash": {
+                    "md5": "cdf9cfebb400ce89d5b6032bfcdc693b",
+                    "sha1": "0000000000000000000000000000000000000000",
+                    "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd"
+                },
+                "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe",
+                "parent": {
+                    "command_line": "C:\\WINDOWS\\Explorer.EXE",
+                    "executable": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe",
+                    "hash": {
+                        "md5": "8cc3fcdd7d52d2d5221303c213e044ae",
+                        "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4"
+                    },
+                    "name": "explorer.exe",
+                    "pid": 392736520876
+                },
+                "pid": 399748687993,
+                "start": "2023-11-03T18:00:13.000Z",
+                "user": {
+                    "id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                    "name": "mohit.jha"
+                }
+            },
+            "related": {
+                "hash": [
+                    "ABC709-1175",
+                    "b07f77fd3f9828b2c9d61f8a36609741",
+                    "cdf9cfebb400ce89d5b6032bfcdc693b",
+                    "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd",
+                    "8cc3fcdd7d52d2d5221303c213e044ae",
+                    "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4",
+                    "0000000000000000000000000000000000000000"
+                ],
+                "hosts": [
+                    "ABC.LOCAL"
+                ],
+                "ip": [
+                    "81.2.69.142"
+                ],
+                "user": [
+                    "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425",
+                    "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                    "yuvraj.mahajan",
+                    "mohit.jha"
+                ]
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "threat": {
+                "framework": "CrowdStrike Falcon Detections Framework",
+                "tactic": {
+                    "id": [
+                        "CSTA0004"
+                    ],
+                    "name": [
+                        "MachineLearning"
+                    ]
+                },
+                "technique": {
+                    "id": [
+                        "CST0000"
+                    ],
+                    "name": [
+                        "Adware/PUP"
+                    ]
+                }
+            },
+            "user": {
+                "id": "S-1-5-21-1909377054-3469629671-4104191496-4425",
+                "name": "mohit.jha"
+            }
         }
     ]
 }
\ No newline at end of file
diff --git a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
index c4058cad4b1..911383ac0a8 100644
--- a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -844,6 +844,24 @@ processors:
         - append:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - script:
+      tag: reconstruct_has_script_or_module_ioc_from_ioc_context
+      lang: painless
+      if: ctx.crowdstrike?.alert?.has_script_or_module_ioc == null && ctx.json?.ioc_context instanceof List
+      source: |
+        if (ctx.crowdstrike == null) {
+          ctx.crowdstrike = [:];
+        }
+        if (ctx.crowdstrike.alert == null) {
+          ctx.crowdstrike.alert = [:];
+        }
+        for (def c: ctx.json.ioc_context) {
+          if (c.type == 'module' || c.type == 'script') {
+            ctx.crowdstrike.alert.has_script_or_module_ioc = true;
+            return;
+          }
+        }
+        ctx.crowdstrike.alert.has_script_or_module_ioc = false;
   - rename:
       field: json.id
       tag: rename_id
@@ -1034,6 +1052,23 @@ processors:
       tag: rename_ioc_values
       target_field: crowdstrike.alert.ioc_values
       ignore_missing: true
+  - append:
+      field: crowdstrike.alert.ioc_values
+      tag: append_ioc_context_ioc_value_to_ioc_values
+      value: '{{{crowdstrike.alert.ioc_value}}}'
+      if: ctx.crowdstrike?.alert?.ioc_value != null
+      allow_duplicates: false
+  - foreach:
+      tag: reconstruct_ioc_values_from_ioc_context
+      field: crowdstrike.alert.ioc_context
+      if: ctx.crowdstrike?.alert?.ioc_context instanceof List
+      ignore_failure: true
+      processor:
+        append:
+          field: crowdstrike.alert.ioc_values
+          tag: append_ioc_context_ioc_value_to_ioc_values
+          value: '{{{_ingest._value.ioc_value}}}'
+          allow_duplicates: false
   - convert:
       field: json.is_synthetic_quarantine_disposition
       tag: convert_is_synthetic_quarantine_disposition_to_boolean
@@ -1045,6 +1080,24 @@ processors:
         - append:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - script:
+      tag: reconstruct_is_synthetic_quarantine_disposition_from_pattern_disposition_details
+      lang: painless
+      if: ctx.crowdstrike?.alert?.is_synthetic_quarantine_disposition == null && ctx.json?.pattern_disposition_details instanceof Map
+      source: |
+        if (ctx.crowdstrike == null) {
+          ctx.crowdstrike = [:];
+        }
+        if (ctx.crowdstrike.alert == null) {
+          ctx.crowdstrike.alert = [:];
+        }
+        for (def d: ctx.json.pattern_disposition_details.entrySet()) {
+          if (d.getKey() == 'quarantine_file') {
+            ctx.crowdstrike.alert.is_synthetic_quarantine_disposition = d.getValue();
+            return;
+          }
+        }
+        ctx.crowdstrike.alert.is_synthetic_quarantine_disposition = false;
   - convert:
       field: json.ldap_search_query_attack
       tag: convert_ldap_search_query_attack_to_long
diff --git a/packages/crowdstrike/data_stream/alert/sample_event.json b/packages/crowdstrike/data_stream/alert/sample_event.json
index a93203f7efa..637966b72a0 100644
--- a/packages/crowdstrike/data_stream/alert/sample_event.json
+++ b/packages/crowdstrike/data_stream/alert/sample_event.json
@@ -1,9 +1,9 @@
 {
     "@timestamp": "2023-11-03T18:00:22.328Z",
     "agent": {
-        "ephemeral_id": "e2a7acfd-610b-402b-a3b4-040834c03397",
-        "id": "584b36cf-4aec-427b-b7ca-723abfe9a1dd",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "27ef9ebb-d201-4dce-a6fe-40de865e8c36",
+        "id": "03b4d78a-97e1-4c91-9b6f-c97feae33280",
+        "name": "elastic-agent-14353",
         "type": "filebeat",
         "version": "8.13.0"
     },
@@ -130,6 +130,9 @@
                     "type": "module"
                 }
             ],
+            "ioc_values": [
+                "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd"
+            ],
             "is_synthetic_quarantine_disposition": true,
             "local_process_id": "17076",
             "logon_domain": "ABSYS",
@@ -220,7 +223,7 @@
     },
     "data_stream": {
         "dataset": "crowdstrike.alert",
-        "namespace": "51589",
+        "namespace": "94431",
         "type": "logs"
     },
     "device": {
@@ -234,7 +237,7 @@
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "584b36cf-4aec-427b-b7ca-723abfe9a1dd",
+        "id": "03b4d78a-97e1-4c91-9b6f-c97feae33280",
         "snapshot": false,
         "version": "8.13.0"
     },
@@ -242,7 +245,7 @@
         "agent_id_status": "verified",
         "dataset": "crowdstrike.alert",
         "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
-        "ingested": "2024-10-10T09:46:29Z",
+        "ingested": "2024-10-01T00:09:14Z",
         "kind": "alert",
         "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K\\u0026cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ\\u0026-o0:dR/\\u003e\\u003e2J\\u003cd2T/ji6R\\u0026RIHe-tZSkP*q?HW;:leq.:kk)\\u003eIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`\\u003eZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg\\u003cLga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@\\u003cW`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\\\u003cH^hNG\\\"ZQ3#U3\\\"eo\\u003c\\u003e92t[f!\\u003e*b9WLY@H!V0N,BJsNSTD:?/+fY';e\\u003cOHh9AmlT?5\\u003cgGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E\\u003cG5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb\\u003c6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u\\u0026d[+LTNDs\\u003c3307?8n=GrFI:4YYGCL,cIt-Tuj!\\u0026\\u003c6:3RbC`uNjL#gW\\u0026=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6\\u003ea%iM\\\"\\u003cFTSe/eH8M:\\u003c9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6\\u0026CHpVKO3\\u003cDgK9,Y/e@V\\\"b\\u0026m!\\u003c\\u003c'\",\"N6CU\\u0026`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.\\u0026eM\\u003cQer\\u003e__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A\\u0026FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\\\u0026\\u0026V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F\\u003c0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##\\u0026$^81(P+hN*-#rf/cUs)Wb\\\"\\u003c_/?I'[##WMh'H[Rcl+!!\\u003c\\u003c'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=\\u003e#DM0j$_\\u003cr/JG0TCEQ!Ug(be3)\\u0026R2JnX+RSqorgC-NCjf6XATBWX(5\\u003cL1J1DV\\u003e44ZjO9q*d!YLuHhkq!3\\u003e3tpi\\u003eOPYZp9]5f1#/AlRZL06`/I6cl\\\"d.\\u0026=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}",
         "severity": 30
diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md
index 66ca1b50fd5..08f8321faeb 100644
--- a/packages/crowdstrike/docs/README.md
+++ b/packages/crowdstrike/docs/README.md
@@ -49,9 +49,9 @@ An example event for `alert` looks as following:
 {
     "@timestamp": "2023-11-03T18:00:22.328Z",
     "agent": {
-        "ephemeral_id": "e2a7acfd-610b-402b-a3b4-040834c03397",
-        "id": "584b36cf-4aec-427b-b7ca-723abfe9a1dd",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "27ef9ebb-d201-4dce-a6fe-40de865e8c36",
+        "id": "03b4d78a-97e1-4c91-9b6f-c97feae33280",
+        "name": "elastic-agent-14353",
         "type": "filebeat",
         "version": "8.13.0"
     },
@@ -178,6 +178,9 @@ An example event for `alert` looks as following:
                     "type": "module"
                 }
             ],
+            "ioc_values": [
+                "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd"
+            ],
             "is_synthetic_quarantine_disposition": true,
             "local_process_id": "17076",
             "logon_domain": "ABSYS",
@@ -268,7 +271,7 @@ An example event for `alert` looks as following:
     },
     "data_stream": {
         "dataset": "crowdstrike.alert",
-        "namespace": "51589",
+        "namespace": "94431",
         "type": "logs"
     },
     "device": {
@@ -282,7 +285,7 @@ An example event for `alert` looks as following:
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "584b36cf-4aec-427b-b7ca-723abfe9a1dd",
+        "id": "03b4d78a-97e1-4c91-9b6f-c97feae33280",
         "snapshot": false,
         "version": "8.13.0"
     },
@@ -290,7 +293,7 @@ An example event for `alert` looks as following:
         "agent_id_status": "verified",
         "dataset": "crowdstrike.alert",
         "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600",
-        "ingested": "2024-10-10T09:46:29Z",
+        "ingested": "2024-10-01T00:09:14Z",
         "kind": "alert",
         "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K\\u0026cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ\\u0026-o0:dR/\\u003e\\u003e2J\\u003cd2T/ji6R\\u0026RIHe-tZSkP*q?HW;:leq.:kk)\\u003eIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`\\u003eZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg\\u003cLga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@\\u003cW`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\\\u003cH^hNG\\\"ZQ3#U3\\\"eo\\u003c\\u003e92t[f!\\u003e*b9WLY@H!V0N,BJsNSTD:?/+fY';e\\u003cOHh9AmlT?5\\u003cgGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E\\u003cG5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb\\u003c6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u\\u0026d[+LTNDs\\u003c3307?8n=GrFI:4YYGCL,cIt-Tuj!\\u0026\\u003c6:3RbC`uNjL#gW\\u0026=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6\\u003ea%iM\\\"\\u003cFTSe/eH8M:\\u003c9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6\\u0026CHpVKO3\\u003cDgK9,Y/e@V\\\"b\\u0026m!\\u003c\\u003c'\",\"N6CU\\u0026`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.\\u0026eM\\u003cQer\\u003e__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A\\u0026FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\\\u0026\\u0026V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F\\u003c0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##\\u0026$^81(P+hN*-#rf/cUs)Wb\\\"\\u003c_/?I'[##WMh'H[Rcl+!!\\u003c\\u003c'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=\\u003e#DM0j$_\\u003cr/JG0TCEQ!Ug(be3)\\u0026R2JnX+RSqorgC-NCjf6XATBWX(5\\u003cL1J1DV\\u003e44ZjO9q*d!YLuHhkq!3\\u003e3tpi\\u003eOPYZp9]5f1#/AlRZL06`/I6cl\\\"d.\\u0026=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}",
         "severity": 30
diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml
index 3931051a0f0..e5bedea7d30 100644
--- a/packages/crowdstrike/manifest.yml
+++ b/packages/crowdstrike/manifest.yml
@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.42.2"
+version: "1.43.0"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.0.3"