diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index a240d92d89b..52fd5c3a423 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -1284,6 +1284,10 @@ { "Name": "scanAbortedAt_t", "Type": "datetime" + }, + { + "Name": "_ItemId", + "Type": "string" } ] } \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml index 150be2a66da..6623d0d68de 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: Network Session ASIM filtering parser for SentinelOne - Version: '0.1.1' + Version: '0.1.0' LastUpdated: Jul 27 2023 Product: Name: SentinelOne @@ -17,7 +17,7 @@ References: Description: | This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. ParserName: ASimNetworkSessionSentinelOne -EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne +EquivalentBuiltInParser: _ASim_NetworkSession_SentinelOne ParserParams: - Name: disabled Type: bool @@ -30,30 +30,33 @@ ParserQuery: | "OUTGOING", "Outbound", "INCOMING", "Inbound", ]; + let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string) + [ + "desktop", "Computer", + "server", "Computer", + "laptop", "Computer", + "kubernetes node", "Other", + "unknown", "Other" + ]; let parser = (disabled: bool=false) { SentinelOne_CL | where not(disabled) and event_name_s == "Alerts." and alertInfo_eventType_s == "TCPV4" | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend DstPortNumber = toint(alertInfo_dstPort_s), - SrcPortNumber = toint(alertInfo_srcPort_s), - AdditionalFields = bag_pack( - "MachineType", - agentDetectionInfo_machineType_s, - "OsRevision", - agentDetectionInfo_osRevision_s - ) + SrcPortNumber = toint(alertInfo_srcPort_s) | project-rename EventStartTime = sourceProcessInfo_pidStarttime_t, DstIpAddr = alertInfo_dstIp_s, - DvcHostname = agentDetectionInfo_name_s, - EventUid = _ResourceId, + EventUid = _ItemId, SrcIpAddr = alertInfo_srcIp_s, DvcId = agentDetectionInfo_uuid_g, DvcOs = agentDetectionInfo_osName_s, - DvcOsVersion = agentDetectionInfo_version_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, EventOriginalSeverity = ruleInfo_severity_s, EventOriginalUid = alertInfo_dvEventId_s, SrcProcessName = sourceProcessInfo_name_s, @@ -72,14 +75,16 @@ ParserQuery: | DvcIdType = iff(isnotempty(DvcId), "Other", ""), SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) | extend - Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr) + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr), + Hostname = SrcHostname | extend EventCount = int(1), EventProduct = "SentinelOne", EventResult = "Success", + DvcAction = "Allow", EventSchema = "NetworkSession", EventSchemaVersion = "0.2.6", - EventResultDetails = "Unknown", + EventResultDetails = "NA", EventType = "EndpointNetworkSession", EventVendor = "SentinelOne", NetworkProtocol = "TCP", @@ -90,6 +95,7 @@ ParserQuery: | *_g, *_t, *_b, + _ResourceId, TenantId, RawData, Computer, diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml index 4d91207b245..ca8ecb5852c 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: Network Session ASIM filtering parser for SentinelOne - Version: '0.1.1' + Version: '0.1.0' LastUpdated: Jul 27 2023 Product: Name: SentinelOne @@ -57,6 +57,14 @@ ParserQuery: | "OUTGOING", "Outbound", "INCOMING", "Inbound", ]; + let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string) + [ + "desktop", "Computer", + "server", "Computer", + "laptop", "Computer", + "kubernetes node", "Other", + "unknown", "Other" + ]; let parser=( disabled: bool=false, starttime: datetime=datetime(null), @@ -80,7 +88,7 @@ ParserQuery: | and (eventresult == "*" or eventresult == "Success") and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber) and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any)) - and array_length(dvcaction) == 0 + and (array_length(dvcaction) == 0 or dvcaction has_any ("Allow")) | extend temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any), temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any) @@ -99,24 +107,19 @@ ParserQuery: | ASimMatchingHostname = "SrcHostname" | where ASimMatchingIpAddr != "No match" | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') | extend DstPortNumber = toint(alertInfo_dstPort_s), - SrcPortNumber = toint(alertInfo_srcPort_s), - AdditionalFields = bag_pack( - "MachineType", - agentDetectionInfo_machineType_s, - "OsRevision", - agentDetectionInfo_osRevision_s - ) + SrcPortNumber = toint(alertInfo_srcPort_s) | project-rename EventStartTime = sourceProcessInfo_pidStarttime_t, DstIpAddr = alertInfo_dstIp_s, - DvcHostname = agentDetectionInfo_name_s, - EventUid = _ResourceId, + EventUid = _ItemId, SrcIpAddr = alertInfo_srcIp_s, DvcId = agentDetectionInfo_uuid_g, DvcOs = agentDetectionInfo_osName_s, - DvcOsVersion = agentDetectionInfo_version_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, EventOriginalSeverity = ruleInfo_severity_s, EventOriginalUid = alertInfo_dvEventId_s, SrcProcessName = sourceProcessInfo_name_s, @@ -135,14 +138,16 @@ ParserQuery: | DvcIdType = iff(isnotempty(DvcId), "Other", ""), SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) | extend - Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr) + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr), + Hostname = SrcHostname | extend EventCount = int(1), EventProduct = "SentinelOne", EventResult = "Success", + DvcAction = "Allow", EventSchema = "NetworkSession", EventSchemaVersion = "0.2.6", - EventResultDetails = "Unknown", + EventResultDetails = "NA", EventType = "EndpointNetworkSession", EventVendor = "SentinelOne", NetworkProtocol = "TCP", @@ -153,6 +158,7 @@ ParserQuery: | *_g, *_t, *_b, + _ResourceId, temp*, TenantId, RawData, diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv index 10ca146e0a8..21dc08043a4 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv @@ -1,8 +1,7 @@ Result "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" "(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" -"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)" "(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv index 193b198240e..a4589594eac 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv @@ -3,13 +3,13 @@ "(1) Warning: Missing recommended field [ASimMatchingIpAddr]" "(1) Warning: Missing recommended field [DstDomain]" "(1) Warning: Missing recommended field [DstHostname]" -"(1) Warning: Missing recommended field [DvcDomain]" "(1) Warning: Missing recommended field [SrcDomain]" "(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" "(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" "(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" "(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" "(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [AdditionalFields]" "(2) Info: Missing optional field [DstAppId]" "(2) Info: Missing optional field [DstAppName]" "(2) Info: Missing optional field [DstAppType]" @@ -39,9 +39,7 @@ "(2) Info: Missing optional field [DstUsername]" "(2) Info: Missing optional field [DstVlanId]" "(2) Info: Missing optional field [DstZone]" -"(2) Info: Missing optional field [DvcAction]" "(2) Info: Missing optional field [DvcDescription]" -"(2) Info: Missing optional field [DvcFQDN]" "(2) Info: Missing optional field [DvcInboundInterface]" "(2) Info: Missing optional field [DvcInterface]" "(2) Info: Missing optional field [DvcMacAddr]" @@ -74,7 +72,6 @@ "(2) Info: Missing optional field [SrcAppType]" "(2) Info: Missing optional field [SrcBytes]" "(2) Info: Missing optional field [SrcDescription]" -"(2) Info: Missing optional field [SrcDeviceType]" "(2) Info: Missing optional field [SrcFQDN]" "(2) Info: Missing optional field [SrcGeoCity]" "(2) Info: Missing optional field [SrcGeoCountry]" @@ -111,4 +108,3 @@ "(2) Info: Missing optional field [ThreatOriginalConfidence]" "(2) Info: Missing optional field [ThreatOriginalRiskLevel]" "(2) Info: Missing optional field [ThreatRiskLevel]" -"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv index 10ca146e0a8..21dc08043a4 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv @@ -1,8 +1,7 @@ Result "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" "(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" "(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" -"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)" "(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv index f2db7436c48..a8589c94648 100644 --- a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv @@ -1,13 +1,13 @@ Result "(1) Warning: Missing recommended field [DstDomain]" "(1) Warning: Missing recommended field [DstHostname]" -"(1) Warning: Missing recommended field [DvcDomain]" "(1) Warning: Missing recommended field [SrcDomain]" "(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" "(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" "(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" "(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" "(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [AdditionalFields]" "(2) Info: Missing optional field [DstAppId]" "(2) Info: Missing optional field [DstAppName]" "(2) Info: Missing optional field [DstAppType]" @@ -37,9 +37,7 @@ "(2) Info: Missing optional field [DstUsername]" "(2) Info: Missing optional field [DstVlanId]" "(2) Info: Missing optional field [DstZone]" -"(2) Info: Missing optional field [DvcAction]" "(2) Info: Missing optional field [DvcDescription]" -"(2) Info: Missing optional field [DvcFQDN]" "(2) Info: Missing optional field [DvcInboundInterface]" "(2) Info: Missing optional field [DvcInterface]" "(2) Info: Missing optional field [DvcMacAddr]" @@ -72,7 +70,6 @@ "(2) Info: Missing optional field [SrcAppType]" "(2) Info: Missing optional field [SrcBytes]" "(2) Info: Missing optional field [SrcDescription]" -"(2) Info: Missing optional field [SrcDeviceType]" "(2) Info: Missing optional field [SrcFQDN]" "(2) Info: Missing optional field [SrcGeoCity]" "(2) Info: Missing optional field [SrcGeoCountry]" @@ -109,4 +106,3 @@ "(2) Info: Missing optional field [ThreatOriginalConfidence]" "(2) Info: Missing optional field [ThreatOriginalRiskLevel]" "(2) Info: Missing optional field [ThreatRiskLevel]" -"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]" diff --git a/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json new file mode 100644 index 00000000000..7155625710d --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json @@ -0,0 +1,6042 @@ +[ + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 5:10:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "0f81ec00-9e52-48e6-b899-eb3bbeede741", + "alertInfo_dstIp": "1.1.1.1", + "alertInfo_dstPort": 21, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.1", + "alertInfo_srcPort": 11, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "73ffd9f9-7430-51bf-89fd-275f31272868", + "targetProcessInfo_tgtProcUid": "73ffdf8e-0a44-5079-fd74-243fc15cbe7e", + "sourceParentProcessInfo_storyline": "73ffdf8e-0a44-5079-fd74-243fc15cbe7c", + "sourceParentProcessInfo_uniqueId": "73ffdf8e-0a44-5079-fd74-243fc15cbe7d", + "sourceProcessInfo_storyline": "73ffdf8e-0a33-5079-fd74-243fc15cbe7c", + "sourceProcessInfo_uniqueId": "73ffdf8e-0a22-5079-fd74-243fc15cbe7c", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736709934432915500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 4:52:24 AM", + "alertInfo_dvEventId": "01H65P81VTDWS403SH4ZN0JS9T_0", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 4:52:37 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 4:52:37 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "d00e622d514a3351de5cede74496dd50c65fbabb", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/lib/systemd/systemd", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "systemd", + "sourceParentProcessInfo_pid": 1, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/24/2023, 4:49:44 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/local/demisto/d1_Test2/d1", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "27141d28091ab8527a01da1f02a2e8cf5a2bc95a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/local/demisto/d1_Test2/d1", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "d1", + "sourceProcessInfo_pid": 1279, + "sourceProcessInfo_pidStarttime [UTC]": "7/24/2023, 4:50:27 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "AC644457DCBAD901", + "alertInfo_dstIp": "1.1.1.2", + "alertInfo_dstPort": 22, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.2", + "alertInfo_srcPort": 12, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "FB4511F580778F51", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "433C0EF580778F52", + "targetProcessInfo_tgtProcUid": "433C0EF580778F53", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "D83C0EF580778F51", + "sourceProcessInfo_uniqueId": "D73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738442842154200, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:10 AM", + "alertInfo_dvEventId": "01H65SG50RP78BRBAJ4ZGDQGGF_10", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netprofm -p -s netprofm", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2084, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.3", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.3", + "alertInfo_srcPort": 13, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "73ffdfe3-1bbd-6667-6750-684c8ca1c402", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "78d7744d-2837-40d2-aff4-bede5877836e", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "553D0EF580778F51", + "sourceProcessInfo_uniqueId": "543D0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738444335326700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_22", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k utcsvc -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 4604, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:49 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.4", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.4", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "svchost.exe,FrameServer", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "9C8612F580778F51", + "sourceParentProcessInfo_uniqueId": "9B8612F580778F51", + "sourceProcessInfo_storyline": "CD8712F580778F51", + "sourceProcessInfo_uniqueId": "CC8712F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738445736224300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:09 AM", + "alertInfo_dvEventId": "01H65SG2PQ023350V5K0TTCRKP_16", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "sihost.exe", + "sourceParentProcessInfo_fileHashMd5": "e5a23407-157b-23f3-c244-1d412163e4ee", + "sourceParentProcessInfo_fileHashSha1": "e8d9750e757e5b580c56521a81ed0cc41d327d82", + "sourceParentProcessInfo_fileHashSha256": "51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\sihost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "sihost.exe", + "sourceParentProcessInfo_pid": 3160, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/21/2023, 4:49:44 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\SearchHost.exe\" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca", + "sourceProcessInfo_fileHashMd5": "0d7ce0d4-741a-a223-0f5a-618a796f4739", + "sourceProcessInfo_fileHashSha1": "f456a426618804abec06fd5883219c4c6eace180", + "sourceProcessInfo_fileHashSha256": "8b5b969143e22d8f27d919948e30aff8594c15c3c69b42bbafa23551e1dc0c68", + "sourceProcessInfo_filePath": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\SearchHost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "low", + "sourceProcessInfo_name": "SearchHost.exe", + "sourceProcessInfo_pid": 1160, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 4:49:46 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.5", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.5", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "B83C0EF580778F51", + "sourceProcessInfo_uniqueId": "B73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738460617615400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_32", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:18 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:18 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 1576, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.6", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.6", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C9B312F580778F51", + "sourceParentProcessInfo_uniqueId": "CFB512F580778F51", + "sourceProcessInfo_storyline": "C9B312F580778F51", + "sourceProcessInfo_uniqueId": "EAB512F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738491395420000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_425", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:22 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe\" --embedded-browser-webview=1 --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --user-data-dir=\"C:\\Users\\Crest\\AppData\\Local\\Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\EBWebView\" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --disable-features=MojoIpcz,msWebOOUI --edge-webview-is-background --enable-features=msSingleSignOnOSForPrimaryAccountIsShared,msEdgeFluentOverlayScrollbar,msWebView2CodeCache,msWebView2EnableDraggableRegions --mojo-named-platform-channel-pipe=9452.304.14872043078598792820 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a", + "sourceParentProcessInfo_fileHashMd5": "0f259745-8e7a-c81b-049d-45ef5b291246", + "sourceParentProcessInfo_fileHashSha1": "bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32", + "sourceParentProcessInfo_fileHashSha256": "0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4", + "sourceParentProcessInfo_filePath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "msedgewebview2.exe", + "sourceParentProcessInfo_pid": 7280, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:56 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir=\"C:\\Users\\Crest\\AppData\\Local\\Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\EBWebView\" --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --mojo-platform-channel-handle=2072 --field-trial-handle=1892,i,4999416576109179693,17961817705433260896,262144 --enable-features=msEdgeFluentOverlayScrollbar,msSingleSignOnOSForPrimaryAccountIsShared,msWebView2CodeCache,msWebView2EnableDraggableRegions --disable-features=MojoIpcz,msWebOOUI /prefetch:3 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a", + "sourceProcessInfo_fileHashMd5": "0f259745-8e7a-c81b-049d-45ef5b291246", + "sourceProcessInfo_fileHashSha1": "bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32", + "sourceProcessInfo_fileHashSha256": "0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4", + "sourceProcessInfo_filePath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "msedgewebview2.exe", + "sourceProcessInfo_pid": 4144, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:56 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.7", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.7", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "FC3C0EF580778F51", + "sourceProcessInfo_uniqueId": "FB3C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738492846649000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:10 AM", + "alertInfo_dvEventId": "01H65SG50RP78BRBAJ4ZGDQGGF_8", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:22 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2692, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:48 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.8", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.8", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "4E4B0EF580778F51", + "sourceProcessInfo_uniqueId": "4D4B0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738499473650000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_3", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 8620, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:33:11 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.9", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.9", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "B2B112F580778F51", + "sourceParentProcessInfo_uniqueId": "B1B112F580778F51", + "sourceProcessInfo_storyline": "B5B212F580778F51", + "sourceProcessInfo_uniqueId": "B4B212F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738500874547500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_432", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "sihost.exe", + "sourceParentProcessInfo_fileHashMd5": "e5a23407-157b-23f3-c244-1d412163e4ee", + "sourceParentProcessInfo_fileHashSha1": "e8d9750e757e5b580c56521a81ed0cc41d327d82", + "sourceParentProcessInfo_fileHashSha256": "51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\sihost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "sihost.exe", + "sourceParentProcessInfo_pid": 13788, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:13 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe\" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca", + "sourceProcessInfo_fileHashMd5": "4bd84472-eca2-b69a-0391-f61fa50d0f31", + "sourceProcessInfo_fileHashSha1": "0ca4bcd60601ec0d8602d4f5994cb0393edb892b", + "sourceProcessInfo_fileHashSha256": "c1fc7f6cb2228ee6386d91f27f1a61ae60a63deefb21d78bb810b7f027f1a489", + "sourceProcessInfo_filePath": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "low", + "sourceProcessInfo_name": "StartMenuExperienceHost.exe", + "sourceProcessInfo_pid": 4524, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:15 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.10", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.10", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "09AB12F580778F51", + "sourceProcessInfo_uniqueId": "08AB12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738502325776600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_29", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 10972, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:28:16 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.11", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.11", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C43C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "C33C0EF580778F51", + "sourceProcessInfo_storyline": "34B612F580778F51", + "sourceProcessInfo_uniqueId": "33B612F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738511318365000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_434", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:24 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:24 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "sourceParentProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceParentProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceParentProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "svchost.exe", + "sourceParentProcessInfo_pid": 1752, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\wermgr.exe\" -upload", + "sourceProcessInfo_fileHashMd5": "b2eb37f1-bd88-302c-2f15-0217722a8c9f", + "sourceProcessInfo_fileHashSha1": "d8e0c1e1ad99a38f3a84414d5af7b761bf0eb924", + "sourceProcessInfo_fileHashSha256": "a4c41c6c4e1d0fadc9bd3313a3d0e329517f400bd8908dd8c70ac69758e60875", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\wermgr.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "wermgr.exe", + "sourceProcessInfo_pid": 5488, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:37:03 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.12", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.12", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "FEAE12F580778F51", + "sourceProcessInfo_uniqueId": "FDAE12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738514782860300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_9", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:24 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:24 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 11436, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:34:08 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:40:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.13", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.13", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "D83C0EF580778F51", + "sourceProcessInfo_uniqueId": "D73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736756505571408600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 6:24:58 AM", + "alertInfo_dvEventId": "01H65VHMRC71Y2GK2M458J2WMW_15", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 6:25:09 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 6:25:09 AM", + "ruleInfo_id": 1736743171400115500, + "ruleInfo_name": "CWL547", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EndpointName = \"CLO007", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Medium", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netprofm -p -s netprofm", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2084, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:40:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.14", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.14", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C43C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "C33C0EF580778F51", + "sourceProcessInfo_storyline": "24DB12F580778F51", + "sourceProcessInfo_uniqueId": "23DB12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736757508513437700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 6:27:00 AM", + "alertInfo_dvEventId": "01H65VN9YVSBR9FGDK3RJX7NKK_10", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 6:27:09 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 6:27:09 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "sourceParentProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceParentProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceParentProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "svchost.exe", + "sourceParentProcessInfo_pid": 1752, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "taskhostw.exe", + "sourceProcessInfo_fileHashMd5": "4887a65f-d4f6-598a-f498-6cbc1c0e5488", + "sourceProcessInfo_fileHashSha1": "0882f3f9947405bb80c2e830adf69af85c9b51c7", + "sourceProcessInfo_fileHashSha256": "82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\taskhostw.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "taskhostw.exe", + "sourceProcessInfo_pid": 8648, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 6:26:34 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.15", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.15", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872444737646300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_55", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:30 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:30 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251: /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32168, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:07 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251: /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32169, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:07 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.16", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.16", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872477948149000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_7", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:34 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:34 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4/ /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32151, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:44 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/bucket4/ /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32152, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:44 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.17", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.17", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872503055255600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_15", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:37 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:37 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4 /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32157, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:59 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/bucket4 /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32158, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:59 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.18", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.18", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872508449131000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_51", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:38 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:38 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/ /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32166, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:03 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/ /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32167, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:03 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 2:00:04 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.19", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.19", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "FEBB12F580778F51", + "sourceParentProcessInfo_uniqueId": "FDBB12F580778F51", + "sourceProcessInfo_storyline": "E0E912F580778F51", + "sourceProcessInfo_uniqueId": "DFE912F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736978424395258000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 1:45:59 PM", + "alertInfo_dvEventId": "01H66MS4AHVPK6ZSZA1W047SMR_278", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 1:46:04 PM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 1:46:04 PM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\Explorer.EXE", + "sourceParentProcessInfo_fileHashMd5": "357b678c-68d3-d5ee-86e1-b706fbfd994b", + "sourceParentProcessInfo_fileHashSha1": "a4e4e2bc502e4ab249b219da357d1aad163ab175", + "sourceParentProcessInfo_fileHashSha256": "8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\explorer.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "explorer.exe", + "sourceParentProcessInfo_pid": 14472, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:42:20 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\smartscreen.exe -Embedding", + "sourceProcessInfo_fileHashMd5": "8b71524d-b619-2b9a-1967-1156e27b1826", + "sourceProcessInfo_fileHashSha1": "4549fabd13aaf136087a4501682eb2559eaafdbb", + "sourceProcessInfo_fileHashSha256": "83c9bd1ff0dd424a841cd1b22993e09e16d1339501070613236b0d1f8bff92bc", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\smartscreen.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "smartscreen.exe", + "sourceProcessInfo_pid": 14528, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 1:45:28 PM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 2:00:04 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.20", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.20", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "70BC12F580778F51", + "sourceParentProcessInfo_uniqueId": "19BF12F580778F51", + "sourceProcessInfo_storyline": "70BC12F580778F51", + "sourceProcessInfo_uniqueId": "42CD12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736978447346490600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 1:45:59 PM", + "alertInfo_dvEventId": "01H66MS4AHVPK6ZSZA1W047SMR_22", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 1:46:07 PM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 1:46:07 PM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix", + "sourceParentProcessInfo_fileHashMd5": "8d5ca829-19d6-6439-685d-dd97dca650c6", + "sourceParentProcessInfo_fileHashSha1": "81c0122bc0adc75ce71912504b8d72825aecad35", + "sourceParentProcessInfo_fileHashSha256": "7dfe00a315c1e6956eb32c9d12fc809998590d15de1820b34b6d9ca7aa109b88", + "sourceParentProcessInfo_filePath": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "OneDriveSetup.exe", + "sourceParentProcessInfo_pid": 5412, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:46:58 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "/updateInstalled /background", + "sourceProcessInfo_fileHashMd5": "174826c7-8c0a-a36d-a145-7e711e4c9e80", + "sourceProcessInfo_fileHashSha1": "56ee9857c7a0643d6f6d5e56c3f4689bb1499829", + "sourceProcessInfo_fileHashSha256": "159e208d7211b71b5dad89771bf1fc047de839bcb8e68475f248a051d2ebaa02", + "sourceProcessInfo_filePath": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "OneDrive.exe", + "sourceProcessInfo_pid": 2204, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:47:11 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + } + ] \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_CL_Schema.csv b/Sample Data/ASIM/SentinelOne_CL_Schema.csv index 7432410acb8..ff16136c833 100644 --- a/Sample Data/ASIM/SentinelOne_CL_Schema.csv +++ b/Sample Data/ASIM/SentinelOne_CL_Schema.csv @@ -311,3 +311,4 @@ RawData,6,"System.String",string "activeDirectory_lastUserDistinguishedName_s",309,"System.String",string Type,310,"System.String",string "_ResourceId",311,"System.String",string +"_ItemId",312,"System.String",string