{"took": 95,"timed_out": false,"_shards": { "total": 5, "successful":

1. {
2. "took": 95,
3. "timed_out": false,
4. "_shards": {
5. "total": 5,
6. "successful": 5,
7. "skipped": 0,
8. "failed": 0
9. },
10. "hits": {
11. "total": 4,
12. "max_score": 1,
13. "hits": [
14. {
15. "_index": "xxx",
16. "_type": "_doc",
17. "_id": "xxxxxxxxx",
18. "_score": 1,
19. "_source": {
20. "aid": 123,
21. "activity": [
22. {
23. "act_timestamp": 1549437711762,
24. "act_type": "reg_act",
25. "reg_action": "writeval",
26. "reg_action_typeid": 3
27. },
28. {
29. "act_timestamp": 1549437714812,
30. "act_type": "reg_act",
31. "reg_action": "writeval",
32. "reg_action_typeid": 3
33. },
34. {
35. "act_timestamp": 1549437711418,
36. "act_type": "child_proc",
37. "child_name": "audiodg.exe"
38. }
39. ],
40. "event_timestamp": 1549437712183,
41. "tid": "demo",
42. "procguid": "11111",
43. "doc_id": 1000881655327721
44. }
45. },
46. {
47. "_index": "xxx",
48. "_type": "_doc",
49. "_id": "xxxxxxxxx",
50. "_score": 1,
51. "_source": {
52. "aid": 123,
53. "activity": [
54. {
55. "act_timestamp": 1549437977317,
56. "act_type": "mod_load",
57. "mod_path": "path1",
58. "mod_size": 32768
59. },
60. {
61. "act_timestamp": 1549437977390,
62. "act_type": "mod_load",
63. "mod_path": "path2",
64. "mod_size": 667648
65. },
66. {
67. "act_timestamp": 1549437977399,
68. "act_type": "reg_act",
69. "reg_action": "writeval",
70. "reg_action_typeid": 3
71. },
72. {
73. "act_timestamp": 1549437977407,
74. "act_type": "child_proc",
75. "child_name": "conhost.exe"
76. }
77. ],
78. "event_timestamp": 1549437977406,
79. "tid": "demo",
80. "procguid": "22222",
81. "doc_id": 1010298962848944
82. }
83. },
84. {
85. "_index": "xxx",
86. "_type": "_doc",
87. "_id": "xxxxxxxxx",
88. "_score": 1,
89. "_source": {
90. "aid": 123,
91. "activity": [
92. {
93. "act_timestamp": 1549437772915,
94. "act_type": "mod_load",
95. "mod_path": "path3",
96. "mod_size": 409600
97. },
98. {
99. "act_timestamp": 1549437772940,
100. "act_type": "mod_load",
101. "mod_path": "path4",
102. "mod_size": 937984
103. },
104. {
105. "act_timestamp": 1549437953405,
106. "act_type": "child_proc",
107. "child_name": "conhost.exe"
108. }
109. ],
110. "event_timestamp": 1549437953405,
111. "tid": "demo",
112. "procguid": "22222",
113. "doc_id": 1007612603810098
114. }
115. },
116. {
117. "_index": "xxx",
118. "_type": "_doc",
119. "_id": "xxxxxxxxx",
120. "_score": 1,
121. "_source": {
122. "aid": 123,
123. "activity": [
124. {
125. "act_timestamp": 1549437848842,
126. "act_type": "mod_load",
127. "mod_path": "path5",
128. "mod_size": 1679360
129. },
130. {
131. "act_timestamp": 1549437848844,
132. "act_type": "mod_load",
133. "mod_path": "path6",
134. "mod_size": 2121728
135. },
136. {
137. "act_timestamp": 1549437848864,
138. "act_type": "mod_load",
139. "mod_path": "path7",
140. "mod_size": 266240
141. },
142. {
143. "act_timestamp": 1549437849590,
144. "act_type": "reg_act",
145. "reg_action": "writeval",
146. "reg_action_typeid": 3
147. },
148. {
149. "act_timestamp": 1549437953418,
150. "act_type": "child_proc",
151. "child_name": "wpscloudsvr.exe"
152. }
153. ],
154. "event_timestamp": 1549437953417,
155. "tid": "demo",
156. "procguid": "33333",
157. "doc_id": 1007725853753652
158. }
159. }]}}
160.  
161. procguid act_type mod_path mod_size
162.  
163. 22222 mod_load path1 32768
164. 22222 mod_load path2 667648
165. 22222 mod_load path3 409600
166. 22222 mod_load path4 937984
167. 33333 mod_load path5 1679360
168. 33333 mod_load path6 2121728
169. 33333 mod_load path7 266240