Skip to content

Commit

Permalink
Fixed the suggested review1 changes and added RAW log files for senti…
Browse files Browse the repository at this point in the history 
…nel one.
  • Loading branch information
Jayesh Prajapati authored and Jayesh Prajapati committed Aug 24, 2023
1 parent 6e13afa commit 0edb547
Show file tree
Hide file tree
Showing 9 changed files with 6,093 additions and 44 deletions.
4 changes: 4 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1284,6 +1284,10 @@
{
"Name": "scanAbortedAt_t",
"Type": "datetime"
},
{
"Name": "_ItemId",
"Type": "string"
}
]
}
34 changes: 20 additions & 14 deletions Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Parser:
Title: Network Session ASIM filtering parser for SentinelOne
Version: '0.1.1'
Version: '0.1.0'
LastUpdated: Jul 27 2023
Product:
Name: SentinelOne
Expand All @@ -17,7 +17,7 @@ References:
Description: |
This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
ParserName: ASimNetworkSessionSentinelOne
EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne
EquivalentBuiltInParser: _ASim_NetworkSession_SentinelOne
ParserParams:
- Name: disabled
Type: bool
Expand All @@ -30,30 +30,33 @@ ParserQuery: |
"OUTGOING", "Outbound",
"INCOMING", "Inbound",
];
let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string)
[
"desktop", "Computer",
"server", "Computer",
"laptop", "Computer",
"kubernetes node", "Other",
"unknown", "Other"
];
let parser = (disabled: bool=false) {
SentinelOne_CL
| where not(disabled)
and event_name_s == "Alerts."
and alertInfo_eventType_s == "TCPV4"
| lookup NetworkDirectionLookup on alertInfo_netEventDirection_s
| lookup DeviceTypeLookup on agentDetectionInfo_machineType_s
| invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')
| extend
DstPortNumber = toint(alertInfo_dstPort_s),
SrcPortNumber = toint(alertInfo_srcPort_s),
AdditionalFields = bag_pack(
"MachineType",
agentDetectionInfo_machineType_s,
"OsRevision",
agentDetectionInfo_osRevision_s
)
SrcPortNumber = toint(alertInfo_srcPort_s)
| project-rename
EventStartTime = sourceProcessInfo_pidStarttime_t,
DstIpAddr = alertInfo_dstIp_s,
DvcHostname = agentDetectionInfo_name_s,
EventUid = _ResourceId,
EventUid = _ItemId,
SrcIpAddr = alertInfo_srcIp_s,
DvcId = agentDetectionInfo_uuid_g,
DvcOs = agentDetectionInfo_osName_s,
DvcOsVersion = agentDetectionInfo_version_s,
DvcOsVersion = agentDetectionInfo_osRevision_s,
EventOriginalSeverity = ruleInfo_severity_s,
EventOriginalUid = alertInfo_dvEventId_s,
SrcProcessName = sourceProcessInfo_name_s,
Expand All @@ -72,14 +75,16 @@ ParserQuery: |
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)
| extend
Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr)
Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),
Hostname = SrcHostname
| extend
EventCount = int(1),
EventProduct = "SentinelOne",
EventResult = "Success",
DvcAction = "Allow",
EventSchema = "NetworkSession",
EventSchemaVersion = "0.2.6",
EventResultDetails = "Unknown",
EventResultDetails = "NA",
EventType = "EndpointNetworkSession",
EventVendor = "SentinelOne",
NetworkProtocol = "TCP",
Expand All @@ -90,6 +95,7 @@ ParserQuery: |
*_g,
*_t,
*_b,
_ResourceId,
TenantId,
RawData,
Computer,
Expand Down
34 changes: 20 additions & 14 deletions Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Parser:
Title: Network Session ASIM filtering parser for SentinelOne
Version: '0.1.1'
Version: '0.1.0'
LastUpdated: Jul 27 2023
Product:
Name: SentinelOne
Expand Down Expand Up @@ -57,6 +57,14 @@ ParserQuery: |
"OUTGOING", "Outbound",
"INCOMING", "Inbound",
];
let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string)
[
"desktop", "Computer",
"server", "Computer",
"laptop", "Computer",
"kubernetes node", "Other",
"unknown", "Other"
];
let parser=(
disabled: bool=false,
starttime: datetime=datetime(null),
Expand All @@ -80,7 +88,7 @@ ParserQuery: |
and (eventresult == "*" or eventresult == "Success")
and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber)
and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any))
and array_length(dvcaction) == 0
and (array_length(dvcaction) == 0 or dvcaction has_any ("Allow"))
| extend
temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any),
temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any)
Expand All @@ -99,24 +107,19 @@ ParserQuery: |
ASimMatchingHostname = "SrcHostname"
| where ASimMatchingIpAddr != "No match"
| lookup NetworkDirectionLookup on alertInfo_netEventDirection_s
| lookup DeviceTypeLookup on agentDetectionInfo_machineType_s
| invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')
| extend
DstPortNumber = toint(alertInfo_dstPort_s),
SrcPortNumber = toint(alertInfo_srcPort_s),
AdditionalFields = bag_pack(
"MachineType",
agentDetectionInfo_machineType_s,
"OsRevision",
agentDetectionInfo_osRevision_s
)
SrcPortNumber = toint(alertInfo_srcPort_s)
| project-rename
EventStartTime = sourceProcessInfo_pidStarttime_t,
DstIpAddr = alertInfo_dstIp_s,
DvcHostname = agentDetectionInfo_name_s,
EventUid = _ResourceId,
EventUid = _ItemId,
SrcIpAddr = alertInfo_srcIp_s,
DvcId = agentDetectionInfo_uuid_g,
DvcOs = agentDetectionInfo_osName_s,
DvcOsVersion = agentDetectionInfo_version_s,
DvcOsVersion = agentDetectionInfo_osRevision_s,
EventOriginalSeverity = ruleInfo_severity_s,
EventOriginalUid = alertInfo_dvEventId_s,
SrcProcessName = sourceProcessInfo_name_s,
Expand All @@ -135,14 +138,16 @@ ParserQuery: |
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)
| extend
Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr)
Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),
Hostname = SrcHostname
| extend
EventCount = int(1),
EventProduct = "SentinelOne",
EventResult = "Success",
DvcAction = "Allow",
EventSchema = "NetworkSession",
EventSchemaVersion = "0.2.6",
EventResultDetails = "Unknown",
EventResultDetails = "NA",
EventType = "EndpointNetworkSession",
EventVendor = "SentinelOne",
NetworkProtocol = "TCP",
Expand All @@ -153,6 +158,7 @@ ParserQuery: |
*_g,
*_t,
*_b,
_ResourceId,
temp*,
TenantId,
RawData,
Expand Down
5 changes: 2 additions & 3 deletions Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)"
"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)"
"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)"
"(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)"
"(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)"
"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)"
6 changes: 1 addition & 5 deletions Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,13 @@
"(1) Warning: Missing recommended field [ASimMatchingIpAddr]"
"(1) Warning: Missing recommended field [DstDomain]"
"(1) Warning: Missing recommended field [DstHostname]"
"(1) Warning: Missing recommended field [DvcDomain]"
"(1) Warning: Missing recommended field [SrcDomain]"
"(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]"
"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]"
"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]"
"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]"
"(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]"
"(2) Info: Missing optional field [AdditionalFields]"
"(2) Info: Missing optional field [DstAppId]"
"(2) Info: Missing optional field [DstAppName]"
"(2) Info: Missing optional field [DstAppType]"
Expand Down Expand Up @@ -39,9 +39,7 @@
"(2) Info: Missing optional field [DstUsername]"
"(2) Info: Missing optional field [DstVlanId]"
"(2) Info: Missing optional field [DstZone]"
"(2) Info: Missing optional field [DvcAction]"
"(2) Info: Missing optional field [DvcDescription]"
"(2) Info: Missing optional field [DvcFQDN]"
"(2) Info: Missing optional field [DvcInboundInterface]"
"(2) Info: Missing optional field [DvcInterface]"
"(2) Info: Missing optional field [DvcMacAddr]"
Expand Down Expand Up @@ -74,7 +72,6 @@
"(2) Info: Missing optional field [SrcAppType]"
"(2) Info: Missing optional field [SrcBytes]"
"(2) Info: Missing optional field [SrcDescription]"
"(2) Info: Missing optional field [SrcDeviceType]"
"(2) Info: Missing optional field [SrcFQDN]"
"(2) Info: Missing optional field [SrcGeoCity]"
"(2) Info: Missing optional field [SrcGeoCountry]"
Expand Down Expand Up @@ -111,4 +108,3 @@
"(2) Info: Missing optional field [ThreatOriginalConfidence]"
"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
"(2) Info: Missing optional field [ThreatRiskLevel]"
"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]"
5 changes: 2 additions & 3 deletions Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)"
"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)"
"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)"
"(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)"
"(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)"
"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)"
6 changes: 1 addition & 5 deletions Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
Result
"(1) Warning: Missing recommended field [DstDomain]"
"(1) Warning: Missing recommended field [DstHostname]"
"(1) Warning: Missing recommended field [DvcDomain]"
"(1) Warning: Missing recommended field [SrcDomain]"
"(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]"
"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]"
"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]"
"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]"
"(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]"
"(2) Info: Missing optional field [AdditionalFields]"
"(2) Info: Missing optional field [DstAppId]"
"(2) Info: Missing optional field [DstAppName]"
"(2) Info: Missing optional field [DstAppType]"
Expand Down Expand Up @@ -37,9 +37,7 @@
"(2) Info: Missing optional field [DstUsername]"
"(2) Info: Missing optional field [DstVlanId]"
"(2) Info: Missing optional field [DstZone]"
"(2) Info: Missing optional field [DvcAction]"
"(2) Info: Missing optional field [DvcDescription]"
"(2) Info: Missing optional field [DvcFQDN]"
"(2) Info: Missing optional field [DvcInboundInterface]"
"(2) Info: Missing optional field [DvcInterface]"
"(2) Info: Missing optional field [DvcMacAddr]"
Expand Down Expand Up @@ -72,7 +70,6 @@
"(2) Info: Missing optional field [SrcAppType]"
"(2) Info: Missing optional field [SrcBytes]"
"(2) Info: Missing optional field [SrcDescription]"
"(2) Info: Missing optional field [SrcDeviceType]"
"(2) Info: Missing optional field [SrcFQDN]"
"(2) Info: Missing optional field [SrcGeoCity]"
"(2) Info: Missing optional field [SrcGeoCountry]"
Expand Down Expand Up @@ -109,4 +106,3 @@
"(2) Info: Missing optional field [ThreatOriginalConfidence]"
"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
"(2) Info: Missing optional field [ThreatRiskLevel]"
"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]"
Loading

0 comments on commit 0edb547

Please sign in to comment.