Skip to content

Commit

Permalink
ASIM Network Session schema parser with its sample and test data for …
Browse files Browse the repository at this point in the history 
…SentinelOne.
  • Loading branch information
Jayesh Prajapati authored and Jayesh Prajapati committed Jul 30, 2023
1 parent 529288a commit 6e13afa
Show file tree
Hide file tree
Showing 11 changed files with 1,749 additions and 2 deletions.
896 changes: 896 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,6 @@ ParserQuery: |
, ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))
, ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))
, ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))
, ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
, ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))
};
NetworkSessionsGeneric (pack=pack)
100 changes: 100 additions & 0 deletions Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
Parser:
Title: Network Session ASIM filtering parser for SentinelOne
Version: '0.1.1'
LastUpdated: Jul 27 2023
Product:
Name: SentinelOne
Normalization:
Schema: NetworkSession
Version: '0.2.6'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: SentinelOne Documentation
- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
Description: |
This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
ParserName: ASimNetworkSessionSentinelOne
EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let NetworkDirectionLookup = datatable (
alertInfo_netEventDirection_s: string,
NetworkDirection: string
)[
"OUTGOING", "Outbound",
"INCOMING", "Inbound",
];
let parser = (disabled: bool=false) {
SentinelOne_CL
| where not(disabled)
and event_name_s == "Alerts."
and alertInfo_eventType_s == "TCPV4"
| lookup NetworkDirectionLookup on alertInfo_netEventDirection_s
| extend
DstPortNumber = toint(alertInfo_dstPort_s),
SrcPortNumber = toint(alertInfo_srcPort_s),
AdditionalFields = bag_pack(
"MachineType",
agentDetectionInfo_machineType_s,
"OsRevision",
agentDetectionInfo_osRevision_s
)
| project-rename
EventStartTime = sourceProcessInfo_pidStarttime_t,
DstIpAddr = alertInfo_dstIp_s,
DvcHostname = agentDetectionInfo_name_s,
EventUid = _ResourceId,
SrcIpAddr = alertInfo_srcIp_s,
DvcId = agentDetectionInfo_uuid_g,
DvcOs = agentDetectionInfo_osName_s,
DvcOsVersion = agentDetectionInfo_version_s,
EventOriginalSeverity = ruleInfo_severity_s,
EventOriginalUid = alertInfo_dvEventId_s,
SrcProcessName = sourceProcessInfo_name_s,
SrcProcessId = sourceProcessInfo_pid_s,
SrcUsername = sourceProcessInfo_user_s
| extend
EventEndTime = EventStartTime,
Dst = DstIpAddr,
DvcIpAddr = SrcIpAddr,
Src = SrcIpAddr,
SrcHostname = DvcHostname,
SrcDvcId = DvcId,
IpAddr = SrcIpAddr,
EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity),
SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""),
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)
| extend
Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr)
| extend
EventCount = int(1),
EventProduct = "SentinelOne",
EventResult = "Success",
EventSchema = "NetworkSession",
EventSchemaVersion = "0.2.6",
EventResultDetails = "Unknown",
EventType = "EndpointNetworkSession",
EventVendor = "SentinelOne",
NetworkProtocol = "TCP",
NetworkProtocolVersion = "IPv4"
| project-away
*_d,
*_s,
*_g,
*_t,
*_b,
TenantId,
RawData,
Computer,
MG,
ManagementGroupName,
SourceSystem
};
parser(disabled = disabled)
2 changes: 1 addition & 1 deletion Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,6 @@ ParserQuery: |
, vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))
, vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))
, vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))
, vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
, vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))
};
NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)
175 changes: 175 additions & 0 deletions Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,175 @@
Parser:
Title: Network Session ASIM filtering parser for SentinelOne
Version: '0.1.1'
LastUpdated: Jul 27 2023
Product:
Name: SentinelOne
Normalization:
Schema: NetworkSession
Version: '0.2.6'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: SentinelOne Documentation
- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
Description: |
This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
ParserName: vimNetworkSessionSentinelOne
EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: ipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstportnumber
Type: int
Default: int(null)
- Name: dvcaction
Type: dynamic
Default: dynamic([])
- Name: hostname_has_any
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: '*'
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let NetworkDirectionLookup = datatable (
alertInfo_netEventDirection_s: string,
NetworkDirection: string
)[
"OUTGOING", "Outbound",
"INCOMING", "Inbound",
];
let parser=(
disabled: bool=false,
starttime: datetime=datetime(null),
endtime: datetime=datetime(null),
eventresult: string='*',
srcipaddr_has_any_prefix: dynamic=dynamic([]),
dstipaddr_has_any_prefix: dynamic=dynamic([]),
ipaddr_has_any_prefix: dynamic=dynamic([]),
hostname_has_any: dynamic=dynamic([]),
dstportnumber: int=int(null),
dvcaction: dynamic=dynamic([])
) {
let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
SentinelOne_CL
| where not(disabled)
and (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
and event_name_s == "Alerts."
and alertInfo_eventType_s == "TCPV4"
and (eventresult == "*" or eventresult == "Success")
and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber)
and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any))
and array_length(dvcaction) == 0
| extend
temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any),
temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any)
| extend
ASimMatchingIpAddr=case(
array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,
"-",
temp_SrcMatch and temp_DstMatch,
"Both",
temp_SrcMatch,
"SrcIpAddr",
temp_DstMatch,
"DstIpAddr",
"No match"
),
ASimMatchingHostname = "SrcHostname"
| where ASimMatchingIpAddr != "No match"
| lookup NetworkDirectionLookup on alertInfo_netEventDirection_s
| extend
DstPortNumber = toint(alertInfo_dstPort_s),
SrcPortNumber = toint(alertInfo_srcPort_s),
AdditionalFields = bag_pack(
"MachineType",
agentDetectionInfo_machineType_s,
"OsRevision",
agentDetectionInfo_osRevision_s
)
| project-rename
EventStartTime = sourceProcessInfo_pidStarttime_t,
DstIpAddr = alertInfo_dstIp_s,
DvcHostname = agentDetectionInfo_name_s,
EventUid = _ResourceId,
SrcIpAddr = alertInfo_srcIp_s,
DvcId = agentDetectionInfo_uuid_g,
DvcOs = agentDetectionInfo_osName_s,
DvcOsVersion = agentDetectionInfo_version_s,
EventOriginalSeverity = ruleInfo_severity_s,
EventOriginalUid = alertInfo_dvEventId_s,
SrcProcessName = sourceProcessInfo_name_s,
SrcProcessId = sourceProcessInfo_pid_s,
SrcUsername = sourceProcessInfo_user_s
| extend
EventEndTime = EventStartTime,
Dst = DstIpAddr,
DvcIpAddr = SrcIpAddr,
Src = SrcIpAddr,
SrcHostname = DvcHostname,
SrcDvcId = DvcId,
IpAddr = SrcIpAddr,
EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity),
SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""),
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)
| extend
Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr)
| extend
EventCount = int(1),
EventProduct = "SentinelOne",
EventResult = "Success",
EventSchema = "NetworkSession",
EventSchemaVersion = "0.2.6",
EventResultDetails = "Unknown",
EventType = "EndpointNetworkSession",
EventVendor = "SentinelOne",
NetworkProtocol = "TCP",
NetworkProtocolVersion = "IPv4"
| project-away
*_d,
*_s,
*_g,
*_t,
*_b,
temp*,
TenantId,
RawData,
Computer,
MG,
ManagementGroupName,
SourceSystem
};
parser(
disabled=disabled,
starttime=starttime,
endtime=endtime,
eventresult=eventresult,
srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,
dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,
ipaddr_has_any_prefix=ipaddr_has_any_prefix,
hostname_has_any=hostname_has_any,
dstportnumber=dstportnumber,
dvcaction=dvcaction
)
8 changes: 8 additions & 0 deletions Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)"
"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)"
"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)"
"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)"
Loading

0 comments on commit 6e13afa

Please sign in to comment.