http://git-wip-us.apache.org/repos/asf/metron/blob/7d554444/metron-interface/metron-alerts/e2e/mock-data/alert-list.json
----------------------------------------------------------------------
diff --git a/metron-interface/metron-alerts/e2e/mock-data/alert-list.json 
b/metron-interface/metron-alerts/e2e/mock-data/alert-list.json
new file mode 100644
index 0000000..2a02a4b
--- /dev/null
+++ b/metron-interface/metron-alerts/e2e/mock-data/alert-list.json
@@ -0,0 +1,8496 @@
+{
+  "took": 3,
+  "timed_out": false,
+  "_shards": {
+    "total": 1,
+    "successful": 1,
+    "failed": 0
+  },
+  "hits": {
+    "total": 169,
+    "max_score": 1.0,
+    "hits": [
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLfl1LEanKS6qPFC",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "enrichments:geo:ip_dst_addr:locID": "5368361",
+          "bro_timestamp": "1492671501.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "34.0494,-118.2641",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574783",
+          "enrichments:geo:ip_dst_addr:dmaCode": "803",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568547",
+          "enrichmentjoinbolt:joiner:ts": "1492671574101",
+          "adapter:geoadapter:begin:ts": "1492671572509",
+          "enrichments:geo:ip_dst_addr:latitude": "34.0494",
+          "uid": "CD23C83kXKw966hJtc",
+          "resp_mime_types": [
+            "text\/plain"
+          ],
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574780",
+          "original_string": "HTTP | id.orig_p:49200 status_code:200 
method:POST request_body_len:96 id.resp_p:80 
orig_mime_types:[\"text\\\/plain\"] 
uri:\/wp-content\/themes\/grizzly\/img5.php?t=8r1gf1b2t1kuq42 tags:[] 
uid:CD23C83kXKw966hJtc resp_mime_types:[\"text\\\/plain\"] trans_depth:1 
orig_fuids:[\"FS7RhoA94CA7tXRH3\"] host:comarksecurity.com status_msg:OK 
id.orig_h:192.168.138.158 response_body_len:996 user_agent:Mozilla\/4.0 
(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 
ts:1492671501.0 id.resp_h:72.34.49.86 resp_fuids:[\"F3FAZQ2jVEyeqyiQB7\"]",
+          "ip_dst_addr": "72.34.49.86",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568750",
+          "host": "comarksecurity.com",
+          "adapter:geoadapter:end:ts": "1492671573840",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574109",
+          "enrichments:geo:ip_dst_addr:longitude": "-118.2641",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "F3FAZQ2jVEyeqyiQB7"
+          ],
+          "timestamp": 1492671501000,
+          "method": "POST",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568555",
+          "request_body_len": 96,
+          "enrichments:geo:ip_dst_addr:city": "Los Angeles",
+          "enrichments:geo:ip_dst_addr:postalCode": "90014",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568737",
+          "orig_mime_types": [
+            "text\/plain"
+          ],
+          "uri": "\/wp-content\/themes\/grizzly\/img5.php?t=8r1gf1b2t1kuq42",
+          "tags": [],
+          "orig_fuids": [
+            "FS7RhoA94CA7tXRH3"
+          ],
+          "ip_src_port": 49200,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574109",
+          "adapter:threatinteladapter:begin:ts": "1492671574115",
+          "status_msg": "OK",
+          "guid": "ec944bae-de91-43fc-bd57-68976ff210f0",
+          "enrichments:geo:ip_dst_addr:country": "US",
+          "response_body_len": 996
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLfl1LEanKS6qPFD",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "bro_timestamp": "1492671501.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574785",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568556",
+          "enrichmentjoinbolt:joiner:ts": "1492671574102",
+          "adapter:geoadapter:begin:ts": "1492671573840",
+          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
+          "uid": "Cbhgaw1IVL6NGqHpn2",
+          "resp_mime_types": [
+            "image\/png"
+          ],
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574782",
+          "original_string": "HTTP | id.orig_p:49209 status_code:200 
method:GET request_body_len:0 id.resp_p:80 uri:\/img\/flags\/de.png tags:[] 
uid:Cbhgaw1IVL6NGqHpn2 
referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg 
resp_mime_types:[\"image\\\/png\"] trans_depth:1 
host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 
response_body_len:534 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 
6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET 
CLR 3.0.30729; Media Center PC 6.0) ts:1492671501.0 id.resp_h:95.163.121.204 
resp_fuids:[\"F4cZLM1Rfj48wYg1Pb\"]",
+          "ip_dst_addr": "95.163.121.204",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568750",
+          "host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
+          "adapter:geoadapter:end:ts": "1492671574044",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574109",
+          "enrichments:geo:ip_dst_addr:longitude": "37.6068",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "F4cZLM1Rfj48wYg1Pb"
+          ],
+          "timestamp": 1492671501000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568556",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750",
+          "uri": "\/img\/flags\/de.png",
+          "tags": [],
+          "referrer": "http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg",
+          "ip_src_port": 49209,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574109",
+          "adapter:threatinteladapter:begin:ts": "1492671574780",
+          "status_msg": "OK",
+          "guid": "0fe4c4a3-f107-4032-be54-50694fca8fac",
+          "enrichments:geo:ip_dst_addr:country": "RU",
+          "response_body_len": 534
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLfl1LEanKS6qPFE",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "bro_timestamp": "1492671501.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574803",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568556",
+          "enrichmentjoinbolt:joiner:ts": "1492671574102",
+          "adapter:geoadapter:begin:ts": "1492671574045",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 100,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574801",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484168699029
 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:100 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671501.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568750",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574046",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574109",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671501000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568557",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750",
+          "uri": 
"\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484168699029",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574109",
+          "adapter:threatinteladapter:begin:ts": "1492671574782",
+          "guid": "df9cd170-25de-428f-9017-abc174dadc5f",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLfl1LEanKS6qPFF",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "bro_timestamp": "1492671501.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574804",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568557",
+          "enrichmentjoinbolt:joiner:ts": "1492671574105",
+          "adapter:geoadapter:begin:ts": "1492671574046",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 201,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574801",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484169230174
 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:201 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671501.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568750",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574046",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574110",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671501000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568557",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750",
+          "uri": 
"\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484169230174",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574110",
+          "adapter:threatinteladapter:begin:ts": "1492671574801",
+          "guid": "d7db5ba5-185e-461f-909b-49bfc11907ee",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLfm1LEanKS6qPFG",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "bro_timestamp": "1492671501.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574804",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568557",
+          "enrichmentjoinbolt:joiner:ts": "1492671574105",
+          "adapter:geoadapter:begin:ts": "1492671574046",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 54,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574801",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/clusters\/metron_cluster\/services?fields=ServiceInfo\/state,ServiceInfo\/maintenance_state,components\/ServiceComponentInfo\/component_name&minimal_response=true&_=1484168537303
 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:54 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671501.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568750",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574046",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574110",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671501000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568557",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750",
+          "uri": 
"\/api\/v1\/clusters\/metron_cluster\/services?fields=ServiceInfo\/state,ServiceInfo\/maintenance_state,components\/ServiceComponentInfo\/component_name&minimal_response=true&_=1484168537303",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574110",
+          "adapter:threatinteladapter:begin:ts": "1492671574801",
+          "guid": "b09556f5-4b9a-4939-9826-1e85e5235733",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjC1LEanKS6qPFH",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "enrichments:geo:ip_dst_addr:locID": "2973783",
+          "bro_timestamp": "1492671501.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574805",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568558",
+          "enrichmentjoinbolt:joiner:ts": "1492671574105",
+          "adapter:geoadapter:begin:ts": "1492671574046",
+          "enrichments:geo:ip_dst_addr:latitude": "48.5839",
+          "uid": "CzXaqT1OEPg60SoJ31",
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574802",
+          "original_string": "HTTP | id.orig_p:49196 status_code:200 
method:GET request_body_len:0 id.resp_p:80 
uri:\/?51424ddd486ff06861fceed24e86b329 tags:[] uid:CzXaqT1OEPg60SoJ31 
trans_depth:1 host:62.75.195.236 status_msg:OK id.orig_h:192.168.138.158 
response_body_len:0 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 
6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET 
CLR 3.0.30729; Media Center PC 6.0) ts:1492671501.0 id.resp_h:62.75.195.236",
+          "ip_dst_addr": "62.75.195.236",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "host": "62.75.195.236",
+          "adapter:geoadapter:end:ts": "1492671574047",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574110",
+          "enrichments:geo:ip_dst_addr:longitude": "7.7455",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "timestamp": 1492671501000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568558",
+          "request_body_len": 0,
+          "enrichments:geo:ip_dst_addr:city": "Strasbourg",
+          "enrichments:geo:ip_dst_addr:postalCode": "67100",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750",
+          "uri": "\/?51424ddd486ff06861fceed24e86b329",
+          "tags": [],
+          "ip_src_port": 49196,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574110",
+          "adapter:threatinteladapter:begin:ts": "1492671574801",
+          "status_msg": "OK",
+          "guid": "78fe6acb-9fa5-4d51-9472-9e34a6521f74",
+          "enrichments:geo:ip_dst_addr:country": "FR",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjC1LEanKS6qPFI",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "TTLs": [
+            29.0
+          ],
+          "qclass_name": "C_INTERNET",
+          "bro_timestamp": "1492671501.0",
+          "qtype_name": "A",
+          "ip_dst_port": 53,
+          "threatinteljoinbolt:joiner:ts": "1492671574806",
+          "qtype": 1,
+          "rejected": false,
+          "answers": [
+            "62.75.195.236"
+          ],
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568558",
+          "enrichmentjoinbolt:joiner:ts": "1492671574109",
+          "trans_id": 27248,
+          "adapter:geoadapter:begin:ts": "1492671574047",
+          "uid": "CWHzfi498ODM7YJg6b",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574804",
+          "original_string": "DNS | AA:false TTLs:[29.0] 
qclass_name:C_INTERNET id.orig_p:65315 qtype_name:A qtype:1 rejected:false 
id.resp_p:53 
query:ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in
 answers:[\"62.75.195.236\"] trans_id:27248 rcode:0 rcode_name:NOERROR TC:false 
RA:true uid:CWHzfi498ODM7YJg6b RD:true proto:udp id.orig_h:192.168.138.158 Z:0 
qclass:1 ts:1492671501.0 id.resp_h:192.168.138.2",
+          "ip_dst_addr": "192.168.138.2",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574048",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574110",
+          "qclass": 1,
+          "timestamp": 1492671501000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568558",
+          "query": 
"ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in",
+          "rcode": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "rcode_name": "NOERROR",
+          "TC": false,
+          "RA": true,
+          "RD": true,
+          "ip_src_port": 65315,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574110",
+          "adapter:threatinteladapter:begin:ts": "1492671574802",
+          "guid": "7cf6ccf7-5cc7-44a4-9423-1a73429ce3c1"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjC1LEanKS6qPFJ",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "qclass_name": "qclass-32769",
+          "bro_timestamp": "1492671501.0",
+          "qtype_name": "PTR",
+          "ip_dst_port": 5353,
+          "threatinteljoinbolt:joiner:ts": "1492671574807",
+          "qtype": 12,
+          "rejected": false,
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568558",
+          "enrichmentjoinbolt:joiner:ts": "1492671574111",
+          "trans_id": 0,
+          "adapter:geoadapter:begin:ts": "1492671574048",
+          "uid": "CgtMqC3lAinR22Xi6c",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574806",
+          "original_string": "DNS | AA:false qclass_name:qclass-32769 
id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 
query:_googlecast._tcp.local trans_id:0 TC:false RA:false 
uid:CgtMqC3lAinR22Xi6c RD:false proto:udp id.orig_h:192.168.66.1 Z:0 
qclass:32769 ts:1492671501.0 id.resp_h:224.0.0.251",
+          "ip_dst_addr": "224.0.0.251",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574048",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574119",
+          "qclass": 32769,
+          "timestamp": 1492671501000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568558",
+          "query": "_googlecast._tcp.local",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "TC": false,
+          "RA": false,
+          "RD": false,
+          "ip_src_port": 5353,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574119",
+          "adapter:threatinteladapter:begin:ts": "1492671574804",
+          "guid": "8d6c0c21-5994-47ff-826d-ec03cccfcffd"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjC1LEanKS6qPFK",
+        "_score": 1.0,
+        "_timestamp": 1492671501000,
+        "_source": {
+          "qclass_name": "C_INTERNET",
+          "bro_timestamp": "1492671501.0",
+          "qtype_name": "PTR",
+          "ip_dst_port": 5353,
+          "threatinteljoinbolt:joiner:ts": "1492671574809",
+          "qtype": 12,
+          "rejected": false,
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568559",
+          "enrichmentjoinbolt:joiner:ts": "1492671574111",
+          "trans_id": 0,
+          "adapter:geoadapter:begin:ts": "1492671574048",
+          "uid": "CEuiK04pVuL2Su5Rqg",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574806",
+          "original_string": "DNS | AA:false qclass_name:C_INTERNET 
id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 
query:_googlecast._tcp.local trans_id:0 TC:false RA:false 
uid:CEuiK04pVuL2Su5Rqg RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 
ts:1492671501.0 id.resp_h:224.0.0.251",
+          "ip_dst_addr": "224.0.0.251",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574048",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574119",
+          "qclass": 1,
+          "timestamp": 1492671501000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568559",
+          "query": "_googlecast._tcp.local",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "TC": false,
+          "RA": false,
+          "RD": false,
+          "ip_src_port": 5353,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574119",
+          "adapter:threatinteladapter:begin:ts": "1492671574806",
+          "guid": "65da4a05-597f-4f3f-a4fc-a88d01d1235d"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjC1LEanKS6qPFL",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "qclass_name": "C_INTERNET",
+          "bro_timestamp": "1492671507.0",
+          "qtype_name": "PTR",
+          "ip_dst_port": 5353,
+          "threatinteljoinbolt:joiner:ts": "1492671574809",
+          "qtype": 12,
+          "rejected": false,
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568559",
+          "enrichmentjoinbolt:joiner:ts": "1492671574111",
+          "trans_id": 0,
+          "adapter:geoadapter:begin:ts": "1492671574048",
+          "uid": "ChMDrL20pLP4UzCncj",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574806",
+          "original_string": "DNS | AA:false qclass_name:C_INTERNET 
id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 
query:_googlecast._tcp.local trans_id:0 TC:false RA:false 
uid:ChMDrL20pLP4UzCncj RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 
ts:1492671507.0 id.resp_h:224.0.0.251",
+          "ip_dst_addr": "224.0.0.251",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574048",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574119",
+          "qclass": 1,
+          "timestamp": 1492671507000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568559",
+          "query": "_googlecast._tcp.local",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "TC": false,
+          "RA": false,
+          "RD": false,
+          "ip_src_port": 5353,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574119",
+          "adapter:threatinteladapter:begin:ts": "1492671574806",
+          "guid": "abf539c7-5a35-4bd9-b39a-0521ff1262e8"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjq1LEanKS6qPFM",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "enrichments:geo:ip_dst_addr:locID": "5308655",
+          "bro_timestamp": "1492671507.0",
+          "status_code": 404,
+          "enrichments:geo:ip_dst_addr:location_point": "33.4499,-112.0712",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574810",
+          "enrichments:geo:ip_dst_addr:dmaCode": "753",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568561",
+          "enrichmentjoinbolt:joiner:ts": "1492671574111",
+          "adapter:geoadapter:begin:ts": "1492671574048",
+          "enrichments:geo:ip_dst_addr:latitude": "33.4499",
+          "uid": "CdUJwG2Df90m0Y7OSi",
+          "resp_mime_types": [
+            "text\/html"
+          ],
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49199 status_code:404 
method:POST request_body_len:96 id.resp_p:80 
orig_mime_types:[\"text\\\/plain\"] 
uri:\/wp-content\/themes\/twentyfifteen\/img5.php?l=8r1gf1b2t1kuq42 tags:[] 
uid:CdUJwG2Df90m0Y7OSi resp_mime_types:[\"text\\\/html\"] trans_depth:1 
orig_fuids:[\"Fh9CoH303MQ3vTRjB\"] host:runlove.us status_msg:Not Found 
id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla\/4.0 
(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 
ts:1492671507.0 id.resp_h:204.152.254.221 resp_fuids:[\"F9iisA25ZMf02F0vS5\"]",
+          "ip_dst_addr": "204.152.254.221",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "host": "runlove.us",
+          "adapter:geoadapter:end:ts": "1492671574049",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574119",
+          "enrichments:geo:ip_dst_addr:longitude": "-112.0712",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "F9iisA25ZMf02F0vS5"
+          ],
+          "timestamp": 1492671507000,
+          "method": "POST",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568561",
+          "request_body_len": 96,
+          "enrichments:geo:ip_dst_addr:city": "Phoenix",
+          "enrichments:geo:ip_dst_addr:postalCode": "85004",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "orig_mime_types": [
+            "text\/plain"
+          ],
+          "uri": 
"\/wp-content\/themes\/twentyfifteen\/img5.php?l=8r1gf1b2t1kuq42",
+          "tags": [],
+          "orig_fuids": [
+            "Fh9CoH303MQ3vTRjB"
+          ],
+          "ip_src_port": 49199,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574119",
+          "adapter:threatinteladapter:begin:ts": "1492671574806",
+          "status_msg": "Not Found",
+          "guid": "62531f8a-9427-45d5-86ab-956edb2bf235",
+          "enrichments:geo:ip_dst_addr:country": "US",
+          "response_body_len": 357
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjq1LEanKS6qPFN",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "TTLs": [
+            29.0
+          ],
+          "qclass_name": "C_INTERNET",
+          "bro_timestamp": "1492671507.0",
+          "qtype_name": "A",
+          "ip_dst_port": 53,
+          "threatinteljoinbolt:joiner:ts": "1492671574810",
+          "qtype": 1,
+          "rejected": false,
+          "answers": [
+            "62.75.195.236"
+          ],
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568561",
+          "enrichmentjoinbolt:joiner:ts": "1492671574111",
+          "trans_id": 27248,
+          "adapter:geoadapter:begin:ts": "1492671574049",
+          "uid": "CTpa5V317MTyEHxIjf",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "DNS | AA:false TTLs:[29.0] 
qclass_name:C_INTERNET id.orig_p:65315 qtype_name:A qtype:1 rejected:false 
id.resp_p:53 
query:ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in
 answers:[\"62.75.195.236\"] trans_id:27248 rcode:0 rcode_name:NOERROR TC:false 
RA:true uid:CTpa5V317MTyEHxIjf RD:true proto:udp id.orig_h:192.168.138.158 Z:0 
qclass:1 ts:1492671507.0 id.resp_h:192.168.138.2",
+          "ip_dst_addr": "192.168.138.2",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574049",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574119",
+          "qclass": 1,
+          "timestamp": 1492671507000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568561",
+          "query": 
"ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in",
+          "rcode": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "rcode_name": "NOERROR",
+          "TC": false,
+          "RA": true,
+          "RD": true,
+          "ip_src_port": 65315,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574119",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "e75ba167-e288-4263-a3b9-2f62e901e269"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjq1LEanKS6qPFO",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "bro_timestamp": "1492671507.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574810",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568561",
+          "enrichmentjoinbolt:joiner:ts": "1492671574115",
+          "adapter:geoadapter:begin:ts": "1492671574049",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 97,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/clusters?fields=Clusters\/provisioning_state&_=1484168694108 
tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:97 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671507.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574049",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574120",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671507000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568561",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "uri": 
"\/api\/v1\/clusters?fields=Clusters\/provisioning_state&_=1484168694108",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574120",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "30eb553a-98eb-4e25-a114-55ac1ecef0bd",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjq1LEanKS6qPFP",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "TTLs": [
+            13888.0
+          ],
+          "qclass_name": "C_INTERNET",
+          "bro_timestamp": "1492671507.0",
+          "qtype_name": "A",
+          "ip_dst_port": 53,
+          "threatinteljoinbolt:joiner:ts": "1492671574810",
+          "qtype": 1,
+          "rejected": false,
+          "answers": [
+            "72.34.49.86"
+          ],
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568566",
+          "enrichmentjoinbolt:joiner:ts": "1492671574116",
+          "trans_id": 41589,
+          "adapter:geoadapter:begin:ts": "1492671574049",
+          "uid": "CE6YSn3vJULMx9hAJk",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "DNS | AA:false TTLs:[13888.0] 
qclass_name:C_INTERNET id.orig_p:56753 qtype_name:A qtype:1 rejected:false 
id.resp_p:53 query:comarksecurity.com answers:[\"72.34.49.86\"] trans_id:41589 
rcode:0 rcode_name:NOERROR TC:false RA:true uid:CE6YSn3vJULMx9hAJk RD:true 
proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671507.0 
id.resp_h:192.168.138.2",
+          "ip_dst_addr": "192.168.138.2",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574049",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574120",
+          "qclass": 1,
+          "timestamp": 1492671507000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568566",
+          "query": "comarksecurity.com",
+          "rcode": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "rcode_name": "NOERROR",
+          "TC": false,
+          "RA": true,
+          "RD": true,
+          "ip_src_port": 56753,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574120",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "d21b418e-9871-40d8-95e4-f5efa11671a6"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLjq1LEanKS6qPFQ",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "enrichments:geo:ip_dst_addr:locID": "2973783",
+          "bro_timestamp": "1492671507.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574810",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568566",
+          "enrichmentjoinbolt:joiner:ts": "1492671574116",
+          "adapter:geoadapter:begin:ts": "1492671574049",
+          "enrichments:geo:ip_dst_addr:latitude": "48.5839",
+          "uid": "CnsJ3j4qkyHcpNUuZa",
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49196 status_code:200 
method:GET request_body_len:0 id.resp_p:80 
uri:\/?51424ddd486ff06861fceed24e86b329 tags:[] uid:CnsJ3j4qkyHcpNUuZa 
trans_depth:1 host:62.75.195.236 status_msg:OK id.orig_h:192.168.138.158 
response_body_len:0 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 
6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET 
CLR 3.0.30729; Media Center PC 6.0) ts:1492671507.0 id.resp_h:62.75.195.236",
+          "ip_dst_addr": "62.75.195.236",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568751",
+          "host": "62.75.195.236",
+          "adapter:geoadapter:end:ts": "1492671574049",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "enrichments:geo:ip_dst_addr:longitude": "7.7455",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "timestamp": 1492671507000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568571",
+          "request_body_len": 0,
+          "enrichments:geo:ip_dst_addr:city": "Strasbourg",
+          "enrichments:geo:ip_dst_addr:postalCode": "67100",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751",
+          "uri": "\/?51424ddd486ff06861fceed24e86b329",
+          "tags": [],
+          "ip_src_port": 49196,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574120",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "OK",
+          "guid": "1d6b6310-4662-4251-97f0-60cceca575f2",
+          "enrichments:geo:ip_dst_addr:country": "FR",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLkj1LEanKS6qPFR",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "bro_timestamp": "1492671507.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568586",
+          "enrichmentjoinbolt:joiner:ts": "1492671574116",
+          "adapter:geoadapter:begin:ts": "1492671574049",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 41,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484168502465
 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:41 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671507.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574049",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671507000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568586",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "uri": 
"\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484168502465",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "106c3676-478a-447f-88e6-5db7824d1e47",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLkj1LEanKS6qPFS",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "bro_timestamp": "1492671507.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568586",
+          "enrichmentjoinbolt:joiner:ts": "1492671574117",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
+          "uid": "CsUjA541poEzvhMfuf",
+          "resp_mime_types": [
+            "text\/html"
+          ],
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49205 status_code:200 
method:GET request_body_len:0 id.resp_p:80 uri:\/11iQmfg tags:[] 
uid:CsUjA541poEzvhMfuf resp_mime_types:[\"text\\\/html\"] trans_depth:1 
host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 
response_body_len:3289 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows 
NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; 
.NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671507.0 
id.resp_h:95.163.121.204 resp_fuids:[\"FOov1rV6rL28n8qy1\"]",
+          "ip_dst_addr": "95.163.121.204",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "enrichments:geo:ip_dst_addr:longitude": "37.6068",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "FOov1rV6rL28n8qy1"
+          ],
+          "timestamp": 1492671507000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568586",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "uri": "\/11iQmfg",
+          "tags": [],
+          "ip_src_port": 49205,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "OK",
+          "guid": "6d22bd33-63a4-46fc-bf85-4954bf705e89",
+          "enrichments:geo:ip_dst_addr:country": "RU",
+          "response_body_len": 3289
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLkj1LEanKS6qPFT",
+        "_score": 1.0,
+        "_timestamp": 1492671507000,
+        "_source": {
+          "bro_timestamp": "1492671507.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568586",
+          "enrichmentjoinbolt:joiner:ts": "1492671574117",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 211,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/persist\/wizard-data?_=1484169260964 tags:[] 
uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:211 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671507.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671507000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568587",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "uri": "\/api\/v1\/persist\/wizard-data?_=1484169260964",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "d430bc5c-6283-4c43-a77f-e26c1fd59d0e",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLkj1LEanKS6qPFU",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "TTLs": [
+            13888.0
+          ],
+          "qclass_name": "C_INTERNET",
+          "bro_timestamp": "1492671514.0",
+          "qtype_name": "A",
+          "ip_dst_port": 53,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "qtype": 1,
+          "rejected": false,
+          "answers": [
+            "72.34.49.86"
+          ],
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568587",
+          "enrichmentjoinbolt:joiner:ts": "1492671574118",
+          "trans_id": 41589,
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "uid": "COWVWoXxyrLnj1cX7",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "DNS | AA:false TTLs:[13888.0] 
qclass_name:C_INTERNET id.orig_p:56753 qtype_name:A qtype:1 rejected:false 
id.resp_p:53 query:comarksecurity.com answers:[\"72.34.49.86\"] trans_id:41589 
rcode:0 rcode_name:NOERROR TC:false RA:true uid:COWVWoXxyrLnj1cX7 RD:true 
proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671514.0 
id.resp_h:192.168.138.2",
+          "ip_dst_addr": "192.168.138.2",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "qclass": 1,
+          "timestamp": 1492671514000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568587",
+          "query": "comarksecurity.com",
+          "rcode": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "rcode_name": "NOERROR",
+          "TC": false,
+          "RA": true,
+          "RD": true,
+          "ip_src_port": 56753,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "2ffd0db4-d9c2-4b1a-8a62-71a4f90adf32"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLkj1LEanKS6qPFV",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "bro_timestamp": "1492671514.0",
+          "status_code": 304,
+          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568587",
+          "enrichmentjoinbolt:joiner:ts": "1492671574118",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
+          "uid": "CXVtpNU35nZ84YA8",
+          "trans_depth": 4,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49206 status_code:304 
method:GET request_body_len:0 id.resp_p:80 uri:\/img\/style.css tags:[] 
uid:CXVtpNU35nZ84YA8 referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg 
trans_depth:4 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:Not Modified 
id.orig_h:192.168.138.158 response_body_len:0 user_agent:Mozilla\/4.0 
(compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 
ts:1492671514.0 id.resp_h:95.163.121.204",
+          "ip_dst_addr": "95.163.121.204",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "enrichments:geo:ip_dst_addr:longitude": "37.6068",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "timestamp": 1492671514000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568587",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "uri": "\/img\/style.css",
+          "tags": [],
+          "referrer": "http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg",
+          "ip_src_port": 49206,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "Not Modified",
+          "guid": "efb6e1c6-5f15-4543-a5d6-a61e0e5cb65f",
+          "enrichments:geo:ip_dst_addr:country": "RU",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLlp1LEanKS6qPFW",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "bro_timestamp": "1492671514.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568588",
+          "enrichmentjoinbolt:joiner:ts": "1492671574118",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 266,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/clusters\/metron_cluster\/services?fields=ServiceInfo\/state,ServiceInfo\/maintenance_state,components\/ServiceComponentInfo\/component_name&minimal_response=true&_=1484169506956
 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:266 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671514.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671514000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568588",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "uri": 
"\/api\/v1\/clusters\/metron_cluster\/services?fields=ServiceInfo\/state,ServiceInfo\/maintenance_state,components\/ServiceComponentInfo\/component_name&minimal_response=true&_=1484169506956",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "f9634a9e-667c-455d-bf24-84ff295b04c1",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLlp1LEanKS6qPFX",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "enrichments:geo:ip_dst_addr:locID": "5308655",
+          "bro_timestamp": "1492671514.0",
+          "status_code": 404,
+          "enrichments:geo:ip_dst_addr:location_point": "33.4499,-112.0712",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichments:geo:ip_dst_addr:dmaCode": "753",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568588",
+          "enrichmentjoinbolt:joiner:ts": "1492671574118",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "enrichments:geo:ip_dst_addr:latitude": "33.4499",
+          "uid": "CY9lhK2A2rSE61rvWi",
+          "resp_mime_types": [
+            "text\/html"
+          ],
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49197 status_code:404 
method:POST request_body_len:134 id.resp_p:80 
orig_mime_types:[\"text\\\/plain\"] 
uri:\/wp-content\/themes\/twentyfifteen\/img5.php?t=cdcnw7cfz43rmtg tags:[] 
uid:CY9lhK2A2rSE61rvWi resp_mime_types:[\"text\\\/html\"] trans_depth:1 
orig_fuids:[\"Fpnco91sWiQHlMIGQ4\"] host:runlove.us status_msg:Not Found 
id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla\/4.0 
(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 
ts:1492671514.0 id.resp_h:204.152.254.221 resp_fuids:[\"FiKhLp4qrWGvpiYadj\"]",
+          "ip_dst_addr": "204.152.254.221",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "host": "runlove.us",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "enrichments:geo:ip_dst_addr:longitude": "-112.0712",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "FiKhLp4qrWGvpiYadj"
+          ],
+          "timestamp": 1492671514000,
+          "method": "POST",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568588",
+          "request_body_len": 134,
+          "enrichments:geo:ip_dst_addr:city": "Phoenix",
+          "enrichments:geo:ip_dst_addr:postalCode": "85004",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "orig_mime_types": [
+            "text\/plain"
+          ],
+          "uri": 
"\/wp-content\/themes\/twentyfifteen\/img5.php?t=cdcnw7cfz43rmtg",
+          "tags": [],
+          "orig_fuids": [
+            "Fpnco91sWiQHlMIGQ4"
+          ],
+          "ip_src_port": 49197,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "Not Found",
+          "guid": "07b6f634-7974-48a9-ae54-b7c1951ee1b9",
+          "enrichments:geo:ip_dst_addr:country": "US",
+          "response_body_len": 357
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLlp1LEanKS6qPFY",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "bro_timestamp": "1492671514.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568588",
+          "enrichmentjoinbolt:joiner:ts": "1492671574118",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
+          "uid": "CrRM6qLedsBZ3P0d8",
+          "resp_mime_types": [
+            "image\/x-icon"
+          ],
+          "trans_depth": 2,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49207 status_code:200 
method:GET request_body_len:0 id.resp_p:80 uri:\/favicon.ico tags:[] 
uid:CrRM6qLedsBZ3P0d8 resp_mime_types:[\"image\\\/x-icon\"] trans_depth:2 
host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 
response_body_len:318 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 
6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET 
CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 
resp_fuids:[\"FlDlsY39iNQUeDK2Dj\"]",
+          "ip_dst_addr": "95.163.121.204",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "enrichments:geo:ip_dst_addr:longitude": "37.6068",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "FlDlsY39iNQUeDK2Dj"
+          ],
+          "timestamp": 1492671514000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568588",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "uri": "\/favicon.ico",
+          "tags": [],
+          "ip_src_port": 49207,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "OK",
+          "guid": "b43ee968-88be-48d2-b8ff-cc13b1597237",
+          "enrichments:geo:ip_dst_addr:country": "RU",
+          "response_body_len": 318
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLlp1LEanKS6qPFZ",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "bro_timestamp": "1492671514.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568589",
+          "enrichmentjoinbolt:joiner:ts": "1492671574118",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 72,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/persist\/wizard-data?_=1484168577645 tags:[] 
uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:72 host:node1 
id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; 
Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671514.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574121",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671514000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568589",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "uri": "\/api\/v1\/persist\/wizard-data?_=1484168577645",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574121",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "1a790f1c-864b-4776-be08-ce6e181148a0",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLlp1LEanKS6qPFa",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "qclass_name": "C_INTERNET",
+          "bro_timestamp": "1492671514.0",
+          "qtype_name": "PTR",
+          "ip_dst_port": 5353,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "qtype": 12,
+          "rejected": false,
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568589",
+          "enrichmentjoinbolt:joiner:ts": "1492671574120",
+          "trans_id": 0,
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "uid": "CoifzG3AcwlRprsVWd",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "DNS | AA:false qclass_name:C_INTERNET 
id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 
query:_googlecast._tcp.local trans_id:0 TC:false RA:false 
uid:CoifzG3AcwlRprsVWd RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 
ts:1492671514.0 id.resp_h:224.0.0.251",
+          "ip_dst_addr": "224.0.0.251",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568779",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574122",
+          "qclass": 1,
+          "timestamp": 1492671514000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568589",
+          "query": "_googlecast._tcp.local",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779",
+          "TC": false,
+          "RA": false,
+          "RD": false,
+          "ip_src_port": 5353,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574122",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "2af99010-8b74-4fad-bdd4-73a9cc206344"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLmA1LEanKS6qPFb",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "bro_timestamp": "1492671514.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568589",
+          "enrichmentjoinbolt:joiner:ts": "1492671574122",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
+          "uid": "Cm8nbh1mEqDSWqLB61",
+          "resp_mime_types": [
+            "image\/png"
+          ],
+          "trans_depth": 3,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49210 status_code:200 
method:GET request_body_len:0 id.resp_p:80 uri:\/img\/button_pay.png tags:[] 
uid:Cm8nbh1mEqDSWqLB61 
referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg 
resp_mime_types:[\"image\\\/png\"] trans_depth:3 
host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 
response_body_len:727 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 
6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET 
CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 
resp_fuids:[\"F4UU9y2L5THk5eQzNl\"]",
+          "ip_dst_addr": "95.163.121.204",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568780",
+          "host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574127",
+          "enrichments:geo:ip_dst_addr:longitude": "37.6068",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "F4UU9y2L5THk5eQzNl"
+          ],
+          "timestamp": 1492671514000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568598",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780",
+          "uri": "\/img\/button_pay.png",
+          "tags": [],
+          "referrer": "http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg",
+          "ip_src_port": 49210,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574127",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "OK",
+          "guid": "98d50ae9-6eb2-41a6-b958-20df2033c55e",
+          "enrichments:geo:ip_dst_addr:country": "RU",
+          "response_body_len": 727
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLmA1LEanKS6qPFc",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "bro_timestamp": "1492671514.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574811",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568598",
+          "enrichmentjoinbolt:joiner:ts": "1492671574123",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
+          "uid": "Cdg2Cf1BnvStDcNm44",
+          "resp_mime_types": [
+            "image\/x-icon"
+          ],
+          "trans_depth": 2,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49207 status_code:200 
method:GET request_body_len:0 id.resp_p:80 uri:\/favicon.ico tags:[] 
uid:Cdg2Cf1BnvStDcNm44 resp_mime_types:[\"image\\\/x-icon\"] trans_depth:2 
host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 
response_body_len:318 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 
6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET 
CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 
resp_fuids:[\"F0ASzM1opxGAKE6oMe\"]",
+          "ip_dst_addr": "95.163.121.204",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568780",
+          "host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574128",
+          "enrichments:geo:ip_dst_addr:longitude": "37.6068",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "F0ASzM1opxGAKE6oMe"
+          ],
+          "timestamp": 1492671514000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568599",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780",
+          "uri": "\/favicon.ico",
+          "tags": [],
+          "ip_src_port": 49207,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574128",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "OK",
+          "guid": "8132f2f4-3f5c-42b0-b068-74a2889a61ce",
+          "enrichments:geo:ip_dst_addr:country": "RU",
+          "response_body_len": 318
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLmA1LEanKS6qPFd",
+        "_score": 1.0,
+        "_timestamp": 1492671514000,
+        "_source": {
+          "bro_timestamp": "1492671514.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574812",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568599",
+          "enrichmentjoinbolt:joiner:ts": "1492671574123",
+          "adapter:geoadapter:begin:ts": "1492671574050",
+          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
+          "uid": "CFP2Yy2RG2OaIaUyXj",
+          "resp_mime_types": [
+            "text\/html"
+          ],
+          "trans_depth": 2,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49209 status_code:200 
method:POST request_body_len:14 id.resp_p:80 
orig_mime_types:[\"text\\\/plain\"] uri:\/11iQmfg tags:[] 
uid:CFP2Yy2RG2OaIaUyXj 
referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg 
resp_mime_types:[\"text\\\/html\"] trans_depth:2 
orig_fuids:[\"F6gXkl3UhcrQFYuUJf\"] host:7oqnsnzwwnm6zb7y.gigapaysun.com 
status_msg:OK id.orig_h:192.168.138.158 response_body_len:14641 
user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; 
Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 
resp_fuids:[\"FBkU002WomFd5HE3d6\"]",
+          "ip_dst_addr": "95.163.121.204",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568780",
+          "host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
+          "adapter:geoadapter:end:ts": "1492671574050",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574128",
+          "enrichments:geo:ip_dst_addr:longitude": "37.6068",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "FBkU002WomFd5HE3d6"
+          ],
+          "timestamp": 1492671514000,
+          "method": "POST",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568599",
+          "request_body_len": 14,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780",
+          "orig_mime_types": [
+            "text\/plain"
+          ],
+          "uri": "\/11iQmfg",
+          "tags": [],
+          "referrer": "http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg",
+          "orig_fuids": [
+            "F6gXkl3UhcrQFYuUJf"
+          ],
+          "ip_src_port": 49209,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574128",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "OK",
+          "guid": "b2979646-d870-48fd-8aa3-bf7173176374",
+          "enrichments:geo:ip_dst_addr:country": "RU",
+          "response_body_len": 14641
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLmA1LEanKS6qPFe",
+        "_score": 1.0,
+        "_timestamp": 1492671521000,
+        "_source": {
+          "bro_timestamp": "1492671521.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574812",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568599",
+          "enrichmentjoinbolt:joiner:ts": "1492671574123",
+          "adapter:geoadapter:begin:ts": "1492671574051",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 197,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/clusters\/metron_cluster\/requests?to=end&page_size=10&fields=Requests&_=1484169211634
 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:197 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671521.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568780",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574051",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574128",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671521000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568602",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780",
+          "uri": 
"\/api\/v1\/clusters\/metron_cluster\/requests?to=end&page_size=10&fields=Requests&_=1484169211634",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574128",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "1d76fe7a-33f7-4fad-bc56-6bc804f3a8d9",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLmA1LEanKS6qPFf",
+        "_score": 1.0,
+        "_timestamp": 1492671521000,
+        "_source": {
+          "TTLs": [
+            29.0
+          ],
+          "qclass_name": "C_INTERNET",
+          "bro_timestamp": "1492671521.0",
+          "qtype_name": "A",
+          "ip_dst_port": 53,
+          "threatinteljoinbolt:joiner:ts": "1492671574812",
+          "qtype": 1,
+          "rejected": false,
+          "answers": [
+            "62.75.195.236"
+          ],
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568603",
+          "enrichmentjoinbolt:joiner:ts": "1492671574128",
+          "trans_id": 62139,
+          "adapter:geoadapter:begin:ts": "1492671574051",
+          "uid": "CdZ0AH1QBmDVfSSbR1",
+          "protocol": "dns",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "DNS | AA:false TTLs:[29.0] 
qclass_name:C_INTERNET id.orig_p:50683 qtype_name:A qtype:1 rejected:false 
id.resp_p:53 
query:r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in
 answers:[\"62.75.195.236\"] trans_id:62139 rcode:0 rcode_name:NOERROR TC:false 
RA:true uid:CdZ0AH1QBmDVfSSbR1 RD:true proto:udp id.orig_h:192.168.138.158 Z:0 
qclass:1 ts:1492671521.0 id.resp_h:192.168.138.2",
+          "ip_dst_addr": "192.168.138.2",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568780",
+          "Z": 0,
+          "adapter:geoadapter:end:ts": "1492671574051",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574130",
+          "qclass": 1,
+          "timestamp": 1492671521000,
+          "AA": false,
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568603",
+          "query": 
"r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in",
+          "rcode": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780",
+          "rcode_name": "NOERROR",
+          "TC": false,
+          "RA": true,
+          "RD": true,
+          "ip_src_port": 50683,
+          "proto": "udp",
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574130",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "8dc34f72-78a4-4e3c-8799-7d5f030ab21f"
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLmc1LEanKS6qPFg",
+        "_score": 1.0,
+        "_timestamp": 1492671521000,
+        "_source": {
+          "enrichments:geo:ip_dst_addr:locID": "5308655",
+          "bro_timestamp": "1492671521.0",
+          "status_code": 404,
+          "enrichments:geo:ip_dst_addr:location_point": "33.4499,-112.0712",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574812",
+          "enrichments:geo:ip_dst_addr:dmaCode": "753",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568615",
+          "enrichmentjoinbolt:joiner:ts": "1492671574128",
+          "adapter:geoadapter:begin:ts": "1492671574051",
+          "enrichments:geo:ip_dst_addr:latitude": "33.4499",
+          "uid": "CXHN1k3JfGhpbuyb5j",
+          "resp_mime_types": [
+            "text\/html"
+          ],
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49201 status_code:404 
method:POST request_body_len:162 id.resp_p:80 
orig_mime_types:[\"text\\\/plain\"] 
uri:\/wp-content\/themes\/twentyfifteen\/img5.php?u=mfymi71rapdzk tags:[] 
uid:CXHN1k3JfGhpbuyb5j resp_mime_types:[\"text\\\/html\"] trans_depth:1 
orig_fuids:[\"FbYFa74InGlqw9Ruy7\"] host:runlove.us status_msg:Not Found 
id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla\/4.0 
(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 
ts:1492671521.0 id.resp_h:204.152.254.221 resp_fuids:[\"F7xVXgXCuqJOzIPo4\"]",
+          "ip_dst_addr": "204.152.254.221",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568780",
+          "host": "runlove.us",
+          "adapter:geoadapter:end:ts": "1492671574051",
+          "ip_src_addr": "192.168.138.158",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574130",
+          "enrichments:geo:ip_dst_addr:longitude": "-112.0712",
+          "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; 
WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0)",
+          "resp_fuids": [
+            "F7xVXgXCuqJOzIPo4"
+          ],
+          "timestamp": 1492671521000,
+          "method": "POST",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568616",
+          "request_body_len": 162,
+          "enrichments:geo:ip_dst_addr:city": "Phoenix",
+          "enrichments:geo:ip_dst_addr:postalCode": "85004",
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780",
+          "orig_mime_types": [
+            "text\/plain"
+          ],
+          "uri": 
"\/wp-content\/themes\/twentyfifteen\/img5.php?u=mfymi71rapdzk",
+          "tags": [],
+          "orig_fuids": [
+            "FbYFa74InGlqw9Ruy7"
+          ],
+          "ip_src_port": 49201,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574130",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "status_msg": "Not Found",
+          "guid": "ee7ceffa-d01a-48b7-b7ec-7d9ea17e1a08",
+          "enrichments:geo:ip_dst_addr:country": "US",
+          "response_body_len": 357
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLmc1LEanKS6qPFh",
+        "_score": 1.0,
+        "_timestamp": 1492671521000,
+        "_source": {
+          "bro_timestamp": "1492671521.0",
+          "ip_dst_port": 8080,
+          "threatinteljoinbolt:joiner:ts": "1492671574812",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568616",
+          "enrichmentjoinbolt:joiner:ts": "1492671574128",
+          "adapter:geoadapter:begin:ts": "1492671574051",
+          "uid": "CUrRne3iLIxXavQtci",
+          "trans_depth": 122,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:50451 method:GET 
request_body_len:0 id.resp_p:8080 
uri:\/api\/v1\/clusters\/metron_cluster?fields=Clusters\/health_report,Clusters\/total_hosts,alerts_summary_hosts&minimal_response=true&_=1484168786092
 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:122 
host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 
(Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) 
Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671521.0 id.resp_h:192.168.66.121",
+          "ip_dst_addr": "192.168.66.121",
+          "adapter:hostfromjsonlistadapter:end:ts": "1492671568780",
+          "host": "node1",
+          "adapter:geoadapter:end:ts": "1492671574051",
+          "ip_src_addr": "192.168.66.1",
+          "threatintelsplitterbolt:splitter:end:ts": "1492671574130",
+          "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) 
AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36",
+          "timestamp": 1492671521000,
+          "method": "GET",
+          "enrichmentsplitterbolt:splitter:end:ts": "1492671568616",
+          "request_body_len": 0,
+          "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780",
+          "uri": 
"\/api\/v1\/clusters\/metron_cluster?fields=Clusters\/health_report,Clusters\/total_hosts,alerts_summary_hosts&minimal_response=true&_=1484168786092",
+          "tags": [],
+          "referrer": "http:\/\/node1:8080\/",
+          "ip_src_port": 50451,
+          "threatintelsplitterbolt:splitter:begin:ts": "1492671574130",
+          "adapter:threatinteladapter:begin:ts": "1492671574808",
+          "guid": "d24bb6b1-ba10-4aab-9738-aa16cfab2a90",
+          "response_body_len": 0
+        }
+      },
+      {
+        "_index": "bro_index_2017.04.20.06",
+        "_type": "bro_doc",
+        "_id": "AVuKKLmc1LEanKS6qPFi",
+        "_score": 1.0,
+        "_timestamp": 1492671521000,
+        "_source": {
+          "bro_timestamp": "1492671521.0",
+          "status_code": 200,
+          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
+          "ip_dst_port": 80,
+          "threatinteljoinbolt:joiner:ts": "1492671574812",
+          "enrichmentsplitterbolt:splitter:begin:ts": "1492671568616",
+          "enrichmentjoinbolt:joiner:ts": "1492671574128",
+          "adapter:geoadapter:begin:ts": "1492671574051",
+          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
+          "uid": "CsHRi01CuOHO3HUHWa",
+          "resp_mime_types": [
+            "image\/png"
+          ],
+          "trans_depth": 1,
+          "protocol": "http",
+          "source:type": "bro",
+          "adapter:threatinteladapter:end:ts": "1492671574808",
+          "original_string": "HTTP | id.orig_p:49208 status_code:200 
method:GET request_body_len:0 id.resp_p:80 
uri:\/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764 tags:[] 
uid:CsHRi01CuOHO3HUHWa 
referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg 
resp_mime_types:[\"image\\\/png\"] trans_depth:1 
host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 
response_body_len:1823 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows 
NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; 
.NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671521.0 
id.resp_h:95.163.121.204 resp_fuids:[\"FYBfM7ON3Ts49il0b\"]",
+

<TRUNCATED>

Reply via email to