Sure @leandrojmp ,
Please see below:
"_source": {
"timezoneLabel": "Time Zone",
"SHA-1": "Before=bf2378f33fdec10c34c20cd0a6d9c15baff0f17d;After=7c21261cd9a5e5177d9bc03a0e7167172f07400f",
"Size": "Before=1350696;After=1353400",
"cs4Label": "Change Type",
"type": "syslog",
"cef_vendor": "Tripwire",
"cef_deviceversion": "5.5",
"dvc": "172.23.180.89",
"hardCodedIP": "10.42.1.51\r",
"cn1Label": "Tripwire Severity Number",
"cs3Label": "Rule Type",
"cef_eventclassid": "1",
"duser": "NT AUTHORITY\\SYSTEM",
"id": "<14>1",
"sysloghost": "te-poc-hyperv",
"fname": "C:\\Windows\\System32\\winresume.efi",
"cn1": "100",
"elementOIDLabel": "Element OID",
"cef_severity": "2",
"blVersionLabel": "Is baseline version",
"dhost": "te-poc-hyperv",
"cef_deviceproduct": "Enterprise",
"cs1": "Windows Server",
"sproc": "C:\\Windows\\System32\\poqexec.exe",
"cs3": "Windows File System Rule",
"rt": "Jan 23 2024 13:43:15",
"cs2": "System Configuration Files",
"cs5": "High",
"cs4": "Modified",
"timezone": "Greenwich Mean Time",
"cs6": "-1y2p0ij32e8ch:-1y2p0ij1vig8u",
"twes": "TW_ES",
"cs1Label": "Node Type",
"cs6Label": "Version OID",
"content": "Not available",
"dvchost": "te-dm-01.mshome.net",
"@version": "1",
"event": {
"original": "<14>1 2024-01-23T13:43:15.211Z te-poc-hyperv TW_ES - - - CEF:0|Tripwire|Enterprise|5.5|1|File Integrity Change|2|dvchost=te-dm-01.mshome.net|cs1=Windows Server|cs1Label=Node Type|cs2=System Configuration Files|cs2Label=Rule|cs3=Windows File System Rule|cs3Label=Rule Type|fname=C:\\Windows\\System32\\winresume.efi|cs4=Modified|cs4Label=Change Type|cs5=High|cs5Label=Tripwire Severity Name|cs6=-1y2p0ij32e8ch:-1y2p0ij1vig8u|cs6Label=Version OID|cn1=100|cn1Label=Tripwire Severity Number|sproc=C:\\Windows\\System32\\poqexec.exe|licurl=https://te-poc-hyperv/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elementFinderPage&searchCriteria=%7B%22search.element.nodeGroup.selectedObject%22%3A%22-1y2p0ij32e8bv%3A-1y2p0ij1zzm0h%22%2C%22search.element.name.op%22%3A1%2C%22search.element.name%22%3A%22C%3A%5C%5CWindows%5C%5CSystem32%5C%5Cwinresume.efi%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7ps%3A-1y2p0ij1zzluk%22%2C%22criteria.searchExecuted%22%3Atrue%7D|start=Jan 23 2024 12:12:36|duser=NT AUTHORITY\\SYSTEM|dvc=172.23.180.89|rt=Jan 23 2024 13:43:15|dhost=te-poc-hyperv|SHA-1=Before=bf2378f33fdec10c34c20cd0a6d9c15baff0f17d;After=7c21261cd9a5e5177d9bc03a0e7167172f07400f|MD5=Not available|Size=Before=1350696;After=1353400|content=Not available|contentLabel=Current Version Content|timezone=Greenwich Mean Time|timezoneLabel=Time Zone|elementOID=-1y2p0ij32e8cc:-1y2p0ij1zxvxs|elementOIDLabel=Element OID|blVersion=false|blVersionLabel=Is baseline version|hardCodedIP=10.42.1.51\r"
},
"timestamp": "2024-01-23T13:43:15.211Z",
"cs5Label": "Tripwire Severity Name",
"cef_eventname": "File Integrity Change",
"licurl": "https://te-poc-hyperv/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elementFinderPage&searchCriteria=%7B%22search.element.nodeGroup.selectedObject%22%3A%22-1y2p0ij32e8bv%3A-1y2p0ij1zzm0h%22%2C%22search.element.name.op%22%3A1%2C%22search.element.name%22%3A%22C%3A%5C%5CWindows%5C%5CSystem32%5C%5Cwinresume.efi%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7ps%3A-1y2p0ij1zzluk%22%2C%22criteria.searchExecuted%22%3Atrue%7D",
"start": "Jan 23 2024 12:12:36",
"message": "<14>1 2024-01-23T13:43:15.211Z te-poc-hyperv TW_ES - - - CEF:0|Tripwire|Enterprise|5.5|1|File Integrity Change|2|dvchost=te-dm-01.mshome.net|cs1=Windows Server|cs1Label=Node Type|cs2=System Configuration Files|cs2Label=Rule|cs3=Windows File System Rule|cs3Label=Rule Type|fname=C:\\Windows\\System32\\winresume.efi|cs4=Modified|cs4Label=Change Type|cs5=High|cs5Label=Tripwire Severity Name|cs6=-1y2p0ij32e8ch:-1y2p0ij1vig8u|cs6Label=Version OID|cn1=100|cn1Label=Tripwire Severity Number|sproc=C:\\Windows\\System32\\poqexec.exe|licurl=https://te-poc-hyperv/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elementFinderPage&searchCriteria=%7B%22search.element.nodeGroup.selectedObject%22%3A%22-1y2p0ij32e8bv%3A-1y2p0ij1zzm0h%22%2C%22search.element.name.op%22%3A1%2C%22search.element.name%22%3A%22C%3A%5C%5CWindows%5C%5CSystem32%5C%5Cwinresume.efi%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7ps%3A-1y2p0ij1zzluk%22%2C%22criteria.searchExecuted%22%3Atrue%7D|start=Jan 23 2024 12:12:36|duser=NT AUTHORITY\\SYSTEM|dvc=172.23.180.89|rt=Jan 23 2024 13:43:15|dhost=te-poc-hyperv|SHA-1=Before=bf2378f33fdec10c34c20cd0a6d9c15baff0f17d;After=7c21261cd9a5e5177d9bc03a0e7167172f07400f|MD5=Not available|Size=Before=1350696;After=1353400|content=Not available|contentLabel=Current Version Content|timezone=Greenwich Mean Time|timezoneLabel=Time Zone|elementOID=-1y2p0ij32e8cc:-1y2p0ij1zxvxs|elementOIDLabel=Element OID|blVersion=false|blVersionLabel=Is baseline version|hardCodedIP=10.42.1.51\r",
"cef_version": "CEF:0",
"dashes": "- - -",
"blVersion": "false",
"@timestamp": "2024-01-23T13:43:14.998575300Z",
"LogMessage": "dvchost=te-dm-01.mshome.net|cs1=Windows Server|cs1Label=Node Type|cs2=System Configuration Files|cs2Label=Rule|cs3=Windows File System Rule|cs3Label=Rule Type|fname=C:\\Windows\\System32\\winresume.efi|cs4=Modified|cs4Label=Change Type|cs5=High|cs5Label=Tripwire Severity Name|cs6=-1y2p0ij32e8ch:-1y2p0ij1vig8u|cs6Label=Version OID|cn1=100|cn1Label=Tripwire Severity Number|sproc=C:\\Windows\\System32\\poqexec.exe|licurl=https://te-poc-hyperv/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elementFinderPage&searchCriteria=%7B%22search.element.nodeGroup.selectedObject%22%3A%22-1y2p0ij32e8bv%3A-1y2p0ij1zzm0h%22%2C%22search.element.name.op%22%3A1%2C%22search.element.name%22%3A%22C%3A%5C%5CWindows%5C%5CSystem32%5C%5Cwinresume.efi%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7ps%3A-1y2p0ij1zzluk%22%2C%22criteria.searchExecuted%22%3Atrue%7D|start=Jan 23 2024 12:12:36|duser=NT AUTHORITY\\SYSTEM|dvc=172.23.180.89|rt=Jan 23 2024 13:43:15|dhost=te-poc-hyperv|SHA-1=Before=bf2378f33fdec10c34c20cd0a6d9c15baff0f17d;After=7c21261cd9a5e5177d9bc03a0e7167172f07400f|MD5=Not available|Size=Before=1350696;After=1353400|content=Not available|contentLabel=Current Version Content|timezone=Greenwich Mean Time|timezoneLabel=Time Zone|elementOID=-1y2p0ij32e8cc:-1y2p0ij1zxvxs|elementOIDLabel=Element OID|blVersion=false|blVersionLabel=Is baseline version|hardCodedIP=10.42.1.51\r",
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "generic"
},
"contentLabel": "Current Version Content",
"elementOID": "-1y2p0ij32e8cc:-1y2p0ij1zxvxs",
"cs2Label": "Rule",
"MD5": "Not available"
},