From 6e13afa50400f80d04028e938b0158842c9b15ef Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Sun, 30 Jul 2023 12:33:33 +0530 Subject: [PATCH] ASIM Network Session schema parser with its sample and test data for SentinelOne. --- .../CustomTables/SentinelOne_CL.json | 896 ++++++++++++++++++ .../Parsers/ASimNetworkSession.yaml | 2 +- .../ASimNetworkSessionSentinelOne.yaml | 100 ++ .../Parsers/imNetworkSession.yaml | 2 +- .../Parsers/vimNetworkSessionSentinelOne.yaml | 175 ++++ ...entinelOne_ASimNetworkSession_DataTest.csv | 8 + ...tinelOne_ASimNetworkSession_SchemaTest.csv | 114 +++ ...SentinelOne_vimNetworkSession_DataTest.csv | 8 + ...ntinelOne_vimNetworkSession_SchemaTest.csv | 112 +++ ...nelOne_ASimNetworkSession_IngestedLogs.csv | 21 + Sample Data/ASIM/SentinelOne_CL_Schema.csv | 313 ++++++ 11 files changed, 1749 insertions(+), 2 deletions(-) create mode 100644 Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml create mode 100644 Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml create mode 100644 Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv create mode 100644 Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv create mode 100644 Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv create mode 100644 Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv create mode 100644 Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv create mode 100644 Sample Data/ASIM/SentinelOne_CL_Schema.csv diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index c88a505bedd..a240d92d89b 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -388,6 +388,902 @@ { "Name": "_ResourceId", "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" } ] } \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml index 23f0ff8dc39..1de3c05059e 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml @@ -75,6 +75,6 @@ ParserQuery: | , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) )) , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) )) , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) )) - , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) )) + , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) )) }; NetworkSessionsGeneric (pack=pack) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml new file mode 100644 index 00000000000..150be2a66da --- /dev/null +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml @@ -0,0 +1,100 @@ +Parser: + Title: Network Session ASIM filtering parser for SentinelOne + Version: '0.1.1' + LastUpdated: Jul 27 2023 +Product: + Name: SentinelOne +Normalization: + Schema: NetworkSession + Version: '0.2.6' +References: +- Title: ASIM Network Session Schema + Link: https://aka.ms/ASimNetworkSessionDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: ASimNetworkSessionSentinelOne +EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let NetworkDirectionLookup = datatable ( + alertInfo_netEventDirection_s: string, + NetworkDirection: string + )[ + "OUTGOING", "Outbound", + "INCOMING", "Inbound", + ]; + let parser = (disabled: bool=false) { + SentinelOne_CL + | where not(disabled) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "TCPV4" + | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | extend + DstPortNumber = toint(alertInfo_dstPort_s), + SrcPortNumber = toint(alertInfo_srcPort_s), + AdditionalFields = bag_pack( + "MachineType", + agentDetectionInfo_machineType_s, + "OsRevision", + agentDetectionInfo_osRevision_s + ) + | project-rename + EventStartTime = sourceProcessInfo_pidStarttime_t, + DstIpAddr = alertInfo_dstIp_s, + DvcHostname = agentDetectionInfo_name_s, + EventUid = _ResourceId, + SrcIpAddr = alertInfo_srcIp_s, + DvcId = agentDetectionInfo_uuid_g, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_version_s, + EventOriginalSeverity = ruleInfo_severity_s, + EventOriginalUid = alertInfo_dvEventId_s, + SrcProcessName = sourceProcessInfo_name_s, + SrcProcessId = sourceProcessInfo_pid_s, + SrcUsername = sourceProcessInfo_user_s + | extend + EventEndTime = EventStartTime, + Dst = DstIpAddr, + DvcIpAddr = SrcIpAddr, + Src = SrcIpAddr, + SrcHostname = DvcHostname, + SrcDvcId = DvcId, + IpAddr = SrcIpAddr, + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity), + SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) + | extend + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr) + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + EventSchema = "NetworkSession", + EventSchemaVersion = "0.2.6", + EventResultDetails = "Unknown", + EventType = "EndpointNetworkSession", + EventVendor = "SentinelOne", + NetworkProtocol = "TCP", + NetworkProtocolVersion = "IPv4" + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem + }; + parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml index 4c89ff580e3..8cf0a13d5a9 100644 --- a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml @@ -108,6 +108,6 @@ ParserQuery: | , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) )) , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) )) , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) )) - , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) )) + , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) )) }; NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack) diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml new file mode 100644 index 00000000000..4d91207b245 --- /dev/null +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml @@ -0,0 +1,175 @@ +Parser: + Title: Network Session ASIM filtering parser for SentinelOne + Version: '0.1.1' + LastUpdated: Jul 27 2023 +Product: + Name: SentinelOne +Normalization: + Schema: NetworkSession + Version: '0.2.6' +References: +- Title: ASIM Network Session Schema + Link: https://aka.ms/ASimNetworkSessionDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: vimNetworkSessionSentinelOne +EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dstipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dstportnumber + Type: int + Default: int(null) + - Name: dvcaction + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let NetworkDirectionLookup = datatable ( + alertInfo_netEventDirection_s: string, + NetworkDirection: string + )[ + "OUTGOING", "Outbound", + "INCOMING", "Inbound", + ]; + let parser=( + disabled: bool=false, + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + eventresult: string='*', + srcipaddr_has_any_prefix: dynamic=dynamic([]), + dstipaddr_has_any_prefix: dynamic=dynamic([]), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + dstportnumber: int=int(null), + dvcaction: dynamic=dynamic([]) + ) { + let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); + let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); + SentinelOne_CL + | where not(disabled) + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "TCPV4" + and (eventresult == "*" or eventresult == "Success") + and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber) + and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any)) + and array_length(dvcaction) == 0 + | extend + temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any), + temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any) + | extend + ASimMatchingIpAddr=case( + array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, + "-", + temp_SrcMatch and temp_DstMatch, + "Both", + temp_SrcMatch, + "SrcIpAddr", + temp_DstMatch, + "DstIpAddr", + "No match" + ), + ASimMatchingHostname = "SrcHostname" + | where ASimMatchingIpAddr != "No match" + | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | extend + DstPortNumber = toint(alertInfo_dstPort_s), + SrcPortNumber = toint(alertInfo_srcPort_s), + AdditionalFields = bag_pack( + "MachineType", + agentDetectionInfo_machineType_s, + "OsRevision", + agentDetectionInfo_osRevision_s + ) + | project-rename + EventStartTime = sourceProcessInfo_pidStarttime_t, + DstIpAddr = alertInfo_dstIp_s, + DvcHostname = agentDetectionInfo_name_s, + EventUid = _ResourceId, + SrcIpAddr = alertInfo_srcIp_s, + DvcId = agentDetectionInfo_uuid_g, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_version_s, + EventOriginalSeverity = ruleInfo_severity_s, + EventOriginalUid = alertInfo_dvEventId_s, + SrcProcessName = sourceProcessInfo_name_s, + SrcProcessId = sourceProcessInfo_pid_s, + SrcUsername = sourceProcessInfo_user_s + | extend + EventEndTime = EventStartTime, + Dst = DstIpAddr, + DvcIpAddr = SrcIpAddr, + Src = SrcIpAddr, + SrcHostname = DvcHostname, + SrcDvcId = DvcId, + IpAddr = SrcIpAddr, + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity), + SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername) + | extend + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr) + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + EventSchema = "NetworkSession", + EventSchemaVersion = "0.2.6", + EventResultDetails = "Unknown", + EventType = "EndpointNetworkSession", + EventVendor = "SentinelOne", + NetworkProtocol = "TCP", + NetworkProtocolVersion = "IPv4" + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + temp*, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem + }; + parser( + disabled=disabled, + starttime=starttime, + endtime=endtime, + eventresult=eventresult, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, + ipaddr_has_any_prefix=ipaddr_has_any_prefix, + hostname_has_any=hostname_has_any, + dstportnumber=dstportnumber, + dvcaction=dvcaction + ) \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv new file mode 100644 index 00000000000..10ca146e0a8 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" +"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)" +"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv new file mode 100644 index 00000000000..193b198240e --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv @@ -0,0 +1,114 @@ +Result +"(1) Warning: Missing recommended field [ASimMatchingHostname]" +"(1) Warning: Missing recommended field [ASimMatchingIpAddr]" +"(1) Warning: Missing recommended field [DstDomain]" +"(1) Warning: Missing recommended field [DstHostname]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" +"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" +"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" +"(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [DstAppId]" +"(2) Info: Missing optional field [DstAppName]" +"(2) Info: Missing optional field [DstAppType]" +"(2) Info: Missing optional field [DstBytes]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstInterfaceGuid]" +"(2) Info: Missing optional field [DstInterfaceName]" +"(2) Info: Missing optional field [DstMacAddr]" +"(2) Info: Missing optional field [DstNatIpAddr]" +"(2) Info: Missing optional field [DstNatPortNumber]" +"(2) Info: Missing optional field [DstOriginalUserType]" +"(2) Info: Missing optional field [DstPackets]" +"(2) Info: Missing optional field [DstProcessGuid]" +"(2) Info: Missing optional field [DstProcessId]" +"(2) Info: Missing optional field [DstProcessName]" +"(2) Info: Missing optional field [DstScopeId]" +"(2) Info: Missing optional field [DstUserId]" +"(2) Info: Missing optional field [DstUserType]" +"(2) Info: Missing optional field [DstUsername]" +"(2) Info: Missing optional field [DstVlanId]" +"(2) Info: Missing optional field [DstZone]" +"(2) Info: Missing optional field [DvcAction]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcInboundInterface]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOutboundInterface]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkApplicationProtocol]" +"(2) Info: Missing optional field [NetworkBytes]" +"(2) Info: Missing optional field [NetworkConnectionHistory]" +"(2) Info: Missing optional field [NetworkDuration]" +"(2) Info: Missing optional field [NetworkIcmpCode]" +"(2) Info: Missing optional field [NetworkIcmpType]" +"(2) Info: Missing optional field [NetworkPackets]" +"(2) Info: Missing optional field [NetworkRuleName]" +"(2) Info: Missing optional field [NetworkRuleNumber]" +"(2) Info: Missing optional field [NetworkSessionId]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcAppId]" +"(2) Info: Missing optional field [SrcAppName]" +"(2) Info: Missing optional field [SrcAppType]" +"(2) Info: Missing optional field [SrcBytes]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcInterfaceGuid]" +"(2) Info: Missing optional field [SrcInterfaceName]" +"(2) Info: Missing optional field [SrcMacAddr]" +"(2) Info: Missing optional field [SrcNatIpAddr]" +"(2) Info: Missing optional field [SrcNatPortNumber]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPackets]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcScopeId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcVlanId]" +"(2) Info: Missing optional field [SrcZone]" +"(2) Info: Missing optional field [TcpFlagsAck]" +"(2) Info: Missing optional field [TcpFlagsFin]" +"(2) Info: Missing optional field [TcpFlagsPsh]" +"(2) Info: Missing optional field [TcpFlagsRst]" +"(2) Info: Missing optional field [TcpFlagsSyn]" +"(2) Info: Missing optional field [TcpFlagsUrg]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv new file mode 100644 index 00000000000..10ca146e0a8 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [DvcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 9664 records (84.91%) for field [SrcHostname] of type [Hostname]: [""cent7splunk.ecsp33147.local""] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" +"(2) Info: Empty value in 11382 records (100.0%) in recommended field [EventUid] (Schema:NetworkSession)" +"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv new file mode 100644 index 00000000000..f2db7436c48 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv @@ -0,0 +1,112 @@ +Result +"(1) Warning: Missing recommended field [DstDomain]" +"(1) Warning: Missing recommended field [DstHostname]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" +"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" +"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" +"(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [DstAppId]" +"(2) Info: Missing optional field [DstAppName]" +"(2) Info: Missing optional field [DstAppType]" +"(2) Info: Missing optional field [DstBytes]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstInterfaceGuid]" +"(2) Info: Missing optional field [DstInterfaceName]" +"(2) Info: Missing optional field [DstMacAddr]" +"(2) Info: Missing optional field [DstNatIpAddr]" +"(2) Info: Missing optional field [DstNatPortNumber]" +"(2) Info: Missing optional field [DstOriginalUserType]" +"(2) Info: Missing optional field [DstPackets]" +"(2) Info: Missing optional field [DstProcessGuid]" +"(2) Info: Missing optional field [DstProcessId]" +"(2) Info: Missing optional field [DstProcessName]" +"(2) Info: Missing optional field [DstScopeId]" +"(2) Info: Missing optional field [DstUserId]" +"(2) Info: Missing optional field [DstUserType]" +"(2) Info: Missing optional field [DstUsername]" +"(2) Info: Missing optional field [DstVlanId]" +"(2) Info: Missing optional field [DstZone]" +"(2) Info: Missing optional field [DvcAction]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcInboundInterface]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOutboundInterface]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkApplicationProtocol]" +"(2) Info: Missing optional field [NetworkBytes]" +"(2) Info: Missing optional field [NetworkConnectionHistory]" +"(2) Info: Missing optional field [NetworkDuration]" +"(2) Info: Missing optional field [NetworkIcmpCode]" +"(2) Info: Missing optional field [NetworkIcmpType]" +"(2) Info: Missing optional field [NetworkPackets]" +"(2) Info: Missing optional field [NetworkRuleName]" +"(2) Info: Missing optional field [NetworkRuleNumber]" +"(2) Info: Missing optional field [NetworkSessionId]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcAppId]" +"(2) Info: Missing optional field [SrcAppName]" +"(2) Info: Missing optional field [SrcAppType]" +"(2) Info: Missing optional field [SrcBytes]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcInterfaceGuid]" +"(2) Info: Missing optional field [SrcInterfaceName]" +"(2) Info: Missing optional field [SrcMacAddr]" +"(2) Info: Missing optional field [SrcNatIpAddr]" +"(2) Info: Missing optional field [SrcNatPortNumber]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPackets]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcScopeId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcVlanId]" +"(2) Info: Missing optional field [SrcZone]" +"(2) Info: Missing optional field [TcpFlagsAck]" +"(2) Info: Missing optional field [TcpFlagsFin]" +"(2) Info: Missing optional field [TcpFlagsPsh]" +"(2) Info: Missing optional field [TcpFlagsRst]" +"(2) Info: Missing optional field [TcpFlagsSyn]" +"(2) Info: Missing optional field [TcpFlagsUrg]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]" diff --git a/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv new file mode 100644 index 00000000000..b78c519ba01 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedEventsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 5:10:03 AM",,,,,,,,1.1.1.1,21,OUTGOING,2.2.2.1,11,,,,,,,,,,,,,,,,,,,,,,,,,,747ffc62-5417-49b6-b4ea-5109c4ec9e4f,747ffc61-1824-0304-10ba-8cc565a15646,7487986b-0982-122d-e993-6113156f70ed,7488937b-7a34-81e9-e4c7-434a2e49cf39,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736709934432915550,Undefined,"7/25/2023, 4:52:24 AM",01H65P81VTDWS403SH4ZN0JS9T_0,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 4:52:37 AM",STAR,"7/25/2023, 4:52:37 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/24/2023, 4:49:44 AM",,unknown,,, /usr/local/demisto/d1_Test2/d1,,27141d28091ab8527a01da1f02a2e8cf5a2bc95a,,/usr/local/demisto/d1_Test2/d1,,unknown,d1,1279,"7/24/2023, 4:50:27 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.2,22,OUTGOING,2.2.2.2,12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738442842154293,Undefined,"7/25/2023, 5:49:10 AM",01H65SG50RP78BRBAJ4ZGDQGGF_10,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2084,"7/17/2023, 10:22:47 AM",D83C0EF580778F51,sys_win32,D73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.3,23,OUTGOING,2.2.2.3,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738444335326608,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_22,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k utcsvc -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,4604,"7/17/2023, 10:22:49 AM",553D0EF580778F51,sys_win32,543D0EF580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.4,23,OUTGOING,2.2.2.4,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738445736224238,Undefined,"7/25/2023, 5:49:09 AM",01H65SG2PQ023350V5K0TTCRKP_16,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,sihost.exe,e5a23407-157b-23f3-c244-1d412163e4ee,e8d9750e757e5b580c56521a81ed0cc41d327d82,51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13,C:\Windows\System32\sihost.exe,MICROSOFT WINDOWS,medium,sihost.exe,3160,"7/21/2023, 4:49:44 AM",9C8612F580778F51,sys_win32,9B8612F580778F51,CLO007\Crest,"""C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca",0d7ce0d4-741a-a223-0f5a-618a796f4739,f456a426618804abec06fd5883219c4c6eace180,8b5b969143e22d8f27d919948e30aff8594c15c3c69b42bbafa23551e1dc0c68,C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe,MICROSOFT WINDOWS,low,SearchHost.exe,1160,"7/21/2023, 4:49:46 AM",CD8712F580778F51,sys_win32,CC8712F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.5,23,OUTGOING,2.2.2.5,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738460617615382,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_32,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:18 AM",STAR,"7/25/2023, 5:49:18 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1576,"7/17/2023, 10:22:47 AM",B83C0EF580778F51,sys_win32,B73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.6,23,OUTGOING,2.2.2.6,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738491395419873,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_425,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:22 AM",STAR,"7/25/2023, 5:49:22 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --user-data-dir=""C:\Users\Crest\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --disable-features=MojoIpcz,msWebOOUI --edge-webview-is-background --enable-features=msSingleSignOnOSForPrimaryAccountIsShared,msEdgeFluentOverlayScrollbar,msWebView2CodeCache,msWebView2EnableDraggableRegions --mojo-named-platform-channel-pipe=9452.304.14872043078598792820 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a",0f259745-8e7a-c81b-049d-45ef5b291246,bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32,0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4,C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe,MICROSOFT CORPORATION,medium,msedgewebview2.exe,7280,"7/25/2023, 5:36:56 AM",C9B312F580778F51,sys_win32,CFB512F580778F51,CLO007\Crest,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe"" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir=""C:\Users\Crest\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView"" --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --mojo-platform-channel-handle=2072 --field-trial-handle=1892,i,4999416576109179693,17961817705433260896,262144 --enable-features=msEdgeFluentOverlayScrollbar,msSingleSignOnOSForPrimaryAccountIsShared,msWebView2CodeCache,msWebView2EnableDraggableRegions --disable-features=MojoIpcz,msWebOOUI /prefetch:3 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a",0f259745-8e7a-c81b-049d-45ef5b291246,bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32,0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4,C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe,MICROSOFT CORPORATION,medium,msedgewebview2.exe,4144,"7/25/2023, 5:36:56 AM",C9B312F580778F51,sys_win32,EAB512F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.7,23,OUTGOING,2.2.2.7,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738492846649072,Undefined,"7/25/2023, 5:49:10 AM",01H65SG50RP78BRBAJ4ZGDQGGF_8,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:22 AM",STAR,"7/25/2023, 5:49:22 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2692,"7/17/2023, 10:22:48 AM",FC3C0EF580778F51,sys_win32,FB3C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.8,23,OUTGOING,2.2.2.8,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738499473649861,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_3,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,8620,"7/17/2023, 10:33:11 AM",4E4B0EF580778F51,sys_win32,4D4B0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.9,23,OUTGOING,2.2.2.9,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738500874547448,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_432,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,sihost.exe,e5a23407-157b-23f3-c244-1d412163e4ee,e8d9750e757e5b580c56521a81ed0cc41d327d82,51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13,C:\Windows\System32\sihost.exe,MICROSOFT WINDOWS,medium,sihost.exe,13788,"7/25/2023, 5:36:13 AM",B2B112F580778F51,sys_win32,B1B112F580778F51,CLO007\Crest,"""C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca",4bd84472-eca2-b69a-0391-f61fa50d0f31,0ca4bcd60601ec0d8602d4f5994cb0393edb892b,c1fc7f6cb2228ee6386d91f27f1a61ae60a63deefb21d78bb810b7f027f1a489,C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe,MICROSOFT WINDOWS,low,StartMenuExperienceHost.exe,4524,"7/25/2023, 5:36:15 AM",B5B212F580778F51,sys_win32,B4B212F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.10,23,OUTGOING,2.2.2.10,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738502325776707,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_29,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,10972,"7/25/2023, 5:28:16 AM",09AB12F580778F51,sys_win32,08AB12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.11,23,OUTGOING,2.2.2.11,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738511318364930,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_434,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:24 AM",STAR,"7/25/2023, 5:49:24 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1752,"7/17/2023, 10:22:47 AM",C43C0EF580778F51,sys_win32,C33C0EF580778F51,NT AUTHORITY\SYSTEM,"""C:\Windows\system32\wermgr.exe"" -upload",b2eb37f1-bd88-302c-2f15-0217722a8c9f,d8e0c1e1ad99a38f3a84414d5af7b761bf0eb924,a4c41c6c4e1d0fadc9bd3313a3d0e329517f400bd8908dd8c70ac69758e60875,C:\Windows\System32\wermgr.exe,MICROSOFT WINDOWS,system,wermgr.exe,5488,"7/25/2023, 5:37:03 AM",34B612F580778F51,sys_win32,33B612F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.12,23,OUTGOING,2.2.2.12,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738514782860324,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_9,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:24 AM",STAR,"7/25/2023, 5:49:24 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,11436,"7/25/2023, 5:34:08 AM",FEAE12F580778F51,sys_win32,FDAE12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:40:04 AM",,,,,,,,1.1.1.13,23,OUTGOING,2.2.2.13,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736756505571408611,Undefined,"7/25/2023, 6:24:58 AM",01H65VHMRC71Y2GK2M458J2WMW_15,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 6:25:09 AM",STAR,"7/25/2023, 6:25:09 AM",1736743171400115521,CWL547,1,events,"EndpointName = ""CLO007""",account,Medium,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2084,"7/17/2023, 10:22:47 AM",D83C0EF580778F51,sys_win32,D73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:40:04 AM",,,,,,,,1.1.1.14,23,OUTGOING,2.2.2.14,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736757508513437640,Undefined,"7/25/2023, 6:27:00 AM",01H65VN9YVSBR9FGDK3RJX7NKK_10,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 6:27:09 AM",STAR,"7/25/2023, 6:27:09 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1752,"7/17/2023, 10:22:47 AM",C43C0EF580778F51,sys_win32,C33C0EF580778F51,NT AUTHORITY\SYSTEM,taskhostw.exe,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,C:\Windows\System32\taskhostw.exe,MICROSOFT WINDOWS,system,taskhostw.exe,8648,"7/25/2023, 6:26:34 AM",24DB12F580778F51,sys_win32,23DB12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.15,23,OUTGOING,2.2.2.15,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cd7ac1-1fda-d623-2eeb-83dc0120218e,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cd7ad0-4345-18d1-a5b9-d71c6f5dbfd4,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872444737646416,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_55,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:30 AM",STAR,"7/25/2023, 10:15:30 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251: /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32168,"7/25/2023, 10:15:07 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251: /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32169,"7/25/2023, 10:15:07 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.16,23,OUTGOING,2.2.2.16,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75c81424-5cc1-1e7f-759b-b468bd0aba1c,75bf528b-1526-ba0d-f9b8-1974a96d2487,75c81438-dfdb-a964-e1c3-995f5d9d27d1,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872477948148980,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_7,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:34 AM",STAR,"7/25/2023, 10:15:34 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4/ /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32151,"7/25/2023, 10:14:44 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/bucket4/ /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32152,"7/25/2023, 10:14:44 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.17,23,OUTGOING,2.2.2.17,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cb6e81-9423-24c7-acca-7e20e111bbad,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cb6e91-9565-7ee1-8767-b8a1f763de24,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872503055255672,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_15,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:37 AM",STAR,"7/25/2023, 10:15:37 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4 /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32157,"7/25/2023, 10:14:59 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/bucket4 /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32158,"7/25/2023, 10:14:59 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.18,23,OUTGOING,2.2.2.18,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cc5c9d-5f8f-28b3-b1fa-4ffaff168531,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cc5cb4-12a0-4cb0-cb0c-5678f97e3718,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872508449131071,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_51,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:38 AM",STAR,"7/25/2023, 10:15:38 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/ /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32166,"7/25/2023, 10:15:03 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/ /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32167,"7/25/2023, 10:15:03 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 2:00:04 PM",,,,,,,,1.1.1.19,23,OUTGOING,2.2.2.19,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736978424395258117,Undefined,"7/25/2023, 1:45:59 PM",01H66MS4AHVPK6ZSZA1W047SMR_278,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 1:46:04 PM",STAR,"7/25/2023, 1:46:04 PM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\Explorer.EXE,357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,14472,"7/25/2023, 5:42:20 AM",FEBB12F580778F51,sys_win32,FDBB12F580778F51,CLO007\Crest,C:\Windows\System32\smartscreen.exe -Embedding,8b71524d-b619-2b9a-1967-1156e27b1826,4549fabd13aaf136087a4501682eb2559eaafdbb,83c9bd1ff0dd424a841cd1b22993e09e16d1339501070613236b0d1f8bff92bc,C:\Windows\System32\smartscreen.exe,MICROSOFT WINDOWS,medium,smartscreen.exe,14528,"7/25/2023, 1:45:28 PM",E0E912F580778F51,sys_win32,DFE912F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 2:00:04 PM",,,,,,,,1.1.1.20,23,OUTGOING,2.2.2.20,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736978447346490503,Undefined,"7/25/2023, 1:45:59 PM",01H66MS4AHVPK6ZSZA1W047SMR_22,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 1:46:07 PM",STAR,"7/25/2023, 1:46:07 PM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix,8d5ca829-19d6-6439-685d-dd97dca650c6,81c0122bc0adc75ce71912504b8d72825aecad35,7dfe00a315c1e6956eb32c9d12fc809998590d15de1820b34b6d9ca7aa109b88,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe,MICROSOFT CORPORATION,medium,OneDriveSetup.exe,5412,"7/25/2023, 5:46:58 AM",70BC12F580778F51,sys_win32,19BF12F580778F51,CLO007\Crest, /updateInstalled /background,174826c7-8c0a-a36d-a145-7e711e4c9e80,56ee9857c7a0643d6f6d5e56c3f4689bb1499829,159e208d7211b71b5dad89771bf1fc047de839bcb8e68475f248a051d2ebaa02,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDrive.exe,MICROSOFT CORPORATION,medium,OneDrive.exe,2204,"7/25/2023, 5:47:11 AM",70BC12F580778F51,sys_win32,42CD12F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_CL_Schema.csv b/Sample Data/ASIM/SentinelOne_CL_Schema.csv new file mode 100644 index 00000000000..7432410acb8 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_CL_Schema.csv @@ -0,0 +1,313 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TenantId,0,"System.String",string +SourceSystem,1,"System.String",string +MG,2,"System.String",string +ManagementGroupName,3,"System.String",string +TimeGenerated,4,"System.DateTime",datetime +Computer,5,"System.String",string +RawData,6,"System.String",string +"alertInfo_indicatorDescription_s",7,"System.String",string +"alertInfo_indicatorName_s",8,"System.String",string +"targetProcessInfo_tgtFileOldPath_s",9,"System.String",string +"alertInfo_indicatorCategory_s",10,"System.String",string +"alertInfo_registryOldValue_g",11,"System.String",string +"alertInfo_dstIp_s",12,"System.String",string +"alertInfo_dstPort_s",13,"System.String",string +"alertInfo_netEventDirection_s",14,"System.String",string +"alertInfo_srcIp_s",15,"System.String",string +"alertInfo_srcPort_s",16,"System.String",string +"containerInfo_id_s",17,"System.String",string +"targetProcessInfo_tgtFileId_g",18,"System.String",string +"alertInfo_registryOldValue_s",19,"System.String",string +"alertInfo_registryOldValueType_s",20,"System.String",string +"alertInfo_dnsRequest_s",21,"System.String",string +"alertInfo_dnsResponse_s",22,"System.String",string +"alertInfo_registryKeyPath_s",23,"System.String",string +"alertInfo_registryPath_s",24,"System.String",string +"alertInfo_registryValue_g",25,"System.String",string +"ruleInfo_description_s",26,"System.String",string +"alertInfo_registryValue_s",27,"System.String",string +"alertInfo_loginAccountDomain_s",28,"System.String",string +"alertInfo_loginAccountSid_s",29,"System.String",string +"alertInfo_loginIsAdministratorEquivalent_s",30,"System.String",string +"alertInfo_loginIsSuccessful_s",31,"System.String",string +"alertInfo_loginType_s",32,"System.String",string +"alertInfo_loginsUserName_s",33,"System.String",string +"alertInfo_srcMachineIp_s",34,"System.String",string +"targetProcessInfo_tgtProcCmdLine_s",35,"System.String",string +"targetProcessInfo_tgtProcImagePath_s",36,"System.String",string +"targetProcessInfo_tgtProcName_s",37,"System.String",string +"targetProcessInfo_tgtProcPid_s",38,"System.String",string +"targetProcessInfo_tgtProcSignedStatus_s",39,"System.String",string +"targetProcessInfo_tgtProcStorylineId_s",40,"System.String",string +"targetProcessInfo_tgtProcUid_s",41,"System.String",string +"sourceParentProcessInfo_storyline_g",42,"System.String",string +"sourceParentProcessInfo_uniqueId_g",43,"System.String",string +"sourceProcessInfo_storyline_g",44,"System.String",string +"sourceProcessInfo_uniqueId_g",45,"System.String",string +"targetProcessInfo_tgtProcStorylineId_g",46,"System.String",string +"targetProcessInfo_tgtProcUid_g",47,"System.String",string +"agentDetectionInfo_machineType_s",48,"System.String",string +"agentDetectionInfo_name_s",49,"System.String",string +"agentDetectionInfo_osFamily_s",50,"System.String",string +"agentDetectionInfo_osName_s",51,"System.String",string +"agentDetectionInfo_osRevision_s",52,"System.String",string +"agentDetectionInfo_uuid_g",53,"System.String",string +"agentDetectionInfo_version_s",54,"System.String",string +"agentRealtimeInfo_id_s",55,"System.String",string +"agentRealtimeInfo_infected_b",56,"System.SByte",bool +"agentRealtimeInfo_isActive_b",57,"System.SByte",bool +"agentRealtimeInfo_isDecommissioned_b",58,"System.SByte",bool +"agentRealtimeInfo_machineType_s",59,"System.String",string +"agentRealtimeInfo_name_s",60,"System.String",string +"agentRealtimeInfo_os_s",61,"System.String",string +"agentRealtimeInfo_uuid_g",62,"System.String",string +"alertInfo_alertId_s",63,"System.String",string +"alertInfo_analystVerdict_s",64,"System.String",string +"alertInfo_createdAt_t",65,"System.DateTime",datetime +"alertInfo_dvEventId_s",66,"System.String",string +"alertInfo_eventType_s",67,"System.String",string +"alertInfo_hitType_s",68,"System.String",string +"alertInfo_incidentStatus_s",69,"System.String",string +"alertInfo_isEdr_b",70,"System.SByte",bool +"alertInfo_reportedAt_t",71,"System.DateTime",datetime +"alertInfo_source_s",72,"System.String",string +"alertInfo_updatedAt_t",73,"System.DateTime",datetime +"ruleInfo_id_s",74,"System.String",string +"ruleInfo_name_s",75,"System.String",string +"ruleInfo_queryLang_s",76,"System.String",string +"ruleInfo_queryType_s",77,"System.String",string +"ruleInfo_s1ql_s",78,"System.String",string +"ruleInfo_scopeLevel_s",79,"System.String",string +"ruleInfo_severity_s",80,"System.String",string +"ruleInfo_treatAsThreat_s",81,"System.String",string +"sourceParentProcessInfo_commandline_s",82,"System.String",string +"sourceParentProcessInfo_fileHashMd5_g",83,"System.String",string +"sourceParentProcessInfo_fileHashSha1_s",84,"System.String",string +"sourceParentProcessInfo_fileHashSha256_s",85,"System.String",string +"sourceParentProcessInfo_filePath_s",86,"System.String",string +"sourceParentProcessInfo_fileSignerIdentity_s",87,"System.String",string +"sourceParentProcessInfo_integrityLevel_s",88,"System.String",string +"sourceParentProcessInfo_name_s",89,"System.String",string +"sourceParentProcessInfo_pid_s",90,"System.String",string +"sourceParentProcessInfo_pidStarttime_t",91,"System.DateTime",datetime +"sourceParentProcessInfo_storyline_s",92,"System.String",string +"sourceParentProcessInfo_subsystem_s",93,"System.String",string +"sourceParentProcessInfo_uniqueId_s",94,"System.String",string +"sourceParentProcessInfo_user_s",95,"System.String",string +"sourceProcessInfo_commandline_s",96,"System.String",string +"sourceProcessInfo_fileHashMd5_g",97,"System.String",string +"sourceProcessInfo_fileHashSha1_s",98,"System.String",string +"sourceProcessInfo_fileHashSha256_s",99,"System.String",string +"sourceProcessInfo_filePath_s",100,"System.String",string +"sourceProcessInfo_fileSignerIdentity_s",101,"System.String",string +"sourceProcessInfo_integrityLevel_s",102,"System.String",string +"sourceProcessInfo_name_s",103,"System.String",string +"sourceProcessInfo_pid_s",104,"System.String",string +"sourceProcessInfo_pidStarttime_t",105,"System.DateTime",datetime +"sourceProcessInfo_storyline_s",106,"System.String",string +"sourceProcessInfo_subsystem_s",107,"System.String",string +"sourceProcessInfo_uniqueId_s",108,"System.String",string +"sourceProcessInfo_user_s",109,"System.String",string +"targetProcessInfo_tgtFileCreatedAt_t",110,"System.DateTime",datetime +"targetProcessInfo_tgtFileHashSha1_s",111,"System.String",string +"targetProcessInfo_tgtFileHashSha256_s",112,"System.String",string +"targetProcessInfo_tgtFileId_s",113,"System.String",string +"targetProcessInfo_tgtFileIsSigned_s",114,"System.String",string +"targetProcessInfo_tgtFileModifiedAt_t",115,"System.DateTime",datetime +"targetProcessInfo_tgtFilePath_s",116,"System.String",string +"targetProcessInfo_tgtProcIntegrityLevel_s",117,"System.String",string +"targetProcessInfo_tgtProcessStartTime_t",118,"System.DateTime",datetime +"agentUpdatedVersion_s",119,"System.String",string +"agentId_s",120,"System.String",string +"hash_s",121,"System.String",string +"osFamily_s",122,"System.String",string +"threatId_s",123,"System.String",string +"creator_s",124,"System.String",string +"creatorId_s",125,"System.String",string +"inherits_b",126,"System.SByte",bool +"isDefault_b",127,"System.SByte",bool +"name_s",128,"System.String",string +"registrationToken_s",129,"System.String",string +"totalAgents_d",130,"System.Double",real +"type_s",131,"System.String",string +"agentDetectionInfo_accountId_s",132,"System.String",string +"agentDetectionInfo_accountName_s",133,"System.String",string +"agentDetectionInfo_agentDetectionState_s",134,"System.String",string +"agentDetectionInfo_agentDomain_s",135,"System.String",string +"agentDetectionInfo_agentIpV4_s",136,"System.String",string +"agentDetectionInfo_agentIpV6_s",137,"System.String",string +"agentDetectionInfo_agentLastLoggedInUserName_s",138,"System.String",string +"agentDetectionInfo_agentMitigationMode_s",139,"System.String",string +"agentDetectionInfo_agentOsName_s",140,"System.String",string +"agentDetectionInfo_agentOsRevision_s",141,"System.String",string +"agentDetectionInfo_agentRegisteredAt_t",142,"System.DateTime",datetime +"agentDetectionInfo_agentUuid_g",143,"System.String",string +"agentDetectionInfo_agentVersion_s",144,"System.String",string +"agentDetectionInfo_externalIp_s",145,"System.String",string +"agentDetectionInfo_groupId_s",146,"System.String",string +"agentDetectionInfo_groupName_s",147,"System.String",string +"agentDetectionInfo_siteId_s",148,"System.String",string +"agentDetectionInfo_siteName_s",149,"System.String",string +"agentRealtimeInfo_accountId_s",150,"System.String",string +"agentRealtimeInfo_accountName_s",151,"System.String",string +"agentRealtimeInfo_activeThreats_d",152,"System.Double",real +"agentRealtimeInfo_agentComputerName_s",153,"System.String",string +"agentRealtimeInfo_agentDomain_s",154,"System.String",string +"agentRealtimeInfo_agentId_s",155,"System.String",string +"agentRealtimeInfo_agentInfected_b",156,"System.SByte",bool +"agentRealtimeInfo_agentIsActive_b",157,"System.SByte",bool +"agentRealtimeInfo_agentIsDecommissioned_b",158,"System.SByte",bool +"agentRealtimeInfo_agentMachineType_s",159,"System.String",string +"agentRealtimeInfo_agentMitigationMode_s",160,"System.String",string +"agentRealtimeInfo_agentNetworkStatus_s",161,"System.String",string +"agentRealtimeInfo_agentOsName_s",162,"System.String",string +"agentRealtimeInfo_agentOsRevision_s",163,"System.String",string +"agentRealtimeInfo_agentOsType_s",164,"System.String",string +"agentRealtimeInfo_agentUuid_g",165,"System.String",string +"agentRealtimeInfo_agentVersion_s",166,"System.String",string +"agentRealtimeInfo_groupId_s",167,"System.String",string +"agentRealtimeInfo_groupName_s",168,"System.String",string +"agentRealtimeInfo_networkInterfaces_s",169,"System.String",string +"agentRealtimeInfo_operationalState_s",170,"System.String",string +"agentRealtimeInfo_rebootRequired_b",171,"System.SByte",bool +"agentRealtimeInfo_scanFinishedAt_t",172,"System.DateTime",datetime +"agentRealtimeInfo_scanStartedAt_t",173,"System.DateTime",datetime +"agentRealtimeInfo_scanStatus_s",174,"System.String",string +"agentRealtimeInfo_siteId_s",175,"System.String",string +"agentRealtimeInfo_siteName_s",176,"System.String",string +"agentRealtimeInfo_userActionsNeeded_s",177,"System.String",string +"indicators_s",178,"System.String",string +"mitigationStatus_s",179,"System.String",string +"threatInfo_analystVerdict_s",180,"System.String",string +"threatInfo_analystVerdictDescription_s",181,"System.String",string +"threatInfo_automaticallyResolved_b",182,"System.SByte",bool +"threatInfo_certificateId_s",183,"System.String",string +"threatInfo_classification_s",184,"System.String",string +"threatInfo_classificationSource_s",185,"System.String",string +"threatInfo_cloudFilesHashVerdict_s",186,"System.String",string +"threatInfo_collectionId_s",187,"System.String",string +"threatInfo_confidenceLevel_s",188,"System.String",string +"threatInfo_createdAt_t",189,"System.DateTime",datetime +"threatInfo_detectionEngines_s",190,"System.String",string +"threatInfo_detectionType_s",191,"System.String",string +"threatInfo_engines_s",192,"System.String",string +"threatInfo_externalTicketExists_b",193,"System.SByte",bool +"threatInfo_failedActions_b",194,"System.SByte",bool +"threatInfo_fileExtension_s",195,"System.String",string +"threatInfo_fileExtensionType_s",196,"System.String",string +"threatInfo_filePath_s",197,"System.String",string +"threatInfo_fileSize_d",198,"System.Double",real +"threatInfo_fileVerificationType_s",199,"System.String",string +"threatInfo_identifiedAt_t",200,"System.DateTime",datetime +"threatInfo_incidentStatus_s",201,"System.String",string +"threatInfo_incidentStatusDescription_s",202,"System.String",string +"threatInfo_initiatedBy_s",203,"System.String",string +"threatInfo_initiatedByDescription_s",204,"System.String",string +"threatInfo_isFileless_b",205,"System.SByte",bool +"threatInfo_isValidCertificate_b",206,"System.SByte",bool +"threatInfo_mitigatedPreemptively_b",207,"System.SByte",bool +"threatInfo_mitigationStatus_s",208,"System.String",string +"threatInfo_mitigationStatusDescription_s",209,"System.String",string +"threatInfo_originatorProcess_s",210,"System.String",string +"threatInfo_pendingActions_b",211,"System.SByte",bool +"threatInfo_processUser_s",212,"System.String",string +"threatInfo_publisherName_s",213,"System.String",string +"threatInfo_reachedEventsLimit_b",214,"System.SByte",bool +"threatInfo_rebootRequired_b",215,"System.SByte",bool +"threatInfo_sha1_s",216,"System.String",string +"threatInfo_storyline_s",217,"System.String",string +"threatInfo_threatId_s",218,"System.String",string +"threatInfo_threatName_s",219,"System.String",string +"threatInfo_updatedAt_t",220,"System.DateTime",datetime +"whiteningOptions_s",221,"System.String",string +"threatInfo_maliciousProcessArguments_s",222,"System.String",string +"threatInfo_fileExtension_g",223,"System.String",string +"threatInfo_threatName_g",224,"System.String",string +"threatInfo_storyline_g",225,"System.String",string +"accountId_s",226,"System.String",string +"accountName_s",227,"System.String",string +"activityType_d",228,"System.Double",real +"activityUuid_g",229,"System.String",string +"createdAt_t",230,"System.DateTime",datetime +"id_s",231,"System.String",string +"primaryDescription_s",232,"System.String",string +"secondaryDescription_s",233,"System.String",string +"siteId_s",234,"System.String",string +"siteName_s",235,"System.String",string +"updatedAt_t",236,"System.DateTime",datetime +"userId_s",237,"System.String",string +"event_name_s",238,"System.String",string +"DataFields_s",239,"System.String",string +"description_s",240,"System.String",string +"comments_s",241,"System.String",string +"activeDirectory_computerMemberOf_s",242,"System.String",string +"activeDirectory_lastUserMemberOf_s",243,"System.String",string +"activeThreats_d",244,"System.Double",real +"agentVersion_s",245,"System.String",string +"allowRemoteShell_b",246,"System.SByte",bool +"appsVulnerabilityStatus_s",247,"System.String",string +"computerName_s",248,"System.String",string +"consoleMigrationStatus_s",249,"System.String",string +"coreCount_d",250,"System.Double",real +"cpuCount_d",251,"System.Double",real +"cpuId_s",252,"System.String",string +"detectionState_s",253,"System.String",string +"domain_s",254,"System.String",string +"encryptedApplications_b",255,"System.SByte",bool +"externalId_s",256,"System.String",string +"externalIp_s",257,"System.String",string +"firewallEnabled_b",258,"System.SByte",bool +"firstFullModeTime_t",259,"System.DateTime",datetime +"fullDiskScanLastUpdatedAt_t",260,"System.DateTime",datetime +"groupId_s",261,"System.String",string +"groupIp_s",262,"System.String",string +"groupName_s",263,"System.String",string +"inRemoteShellSession_b",264,"System.SByte",bool +"infected_b",265,"System.SByte",bool +"installerType_s",266,"System.String",string +"isActive_b",267,"System.SByte",bool +"isDecommissioned_b",268,"System.SByte",bool +"isPendingUninstall_b",269,"System.SByte",bool +"isUninstalled_b",270,"System.SByte",bool +"isUpToDate_b",271,"System.SByte",bool +"lastActiveDate_t",272,"System.DateTime",datetime +"lastIpToMgmt_s",273,"System.String",string +"lastLoggedInUserName_s",274,"System.String",string +"licenseKey_s",275,"System.String",string +"locationEnabled_b",276,"System.SByte",bool +"locationType_s",277,"System.String",string +"locations_s",278,"System.String",string +"machineType_s",279,"System.String",string +"mitigationMode_s",280,"System.String",string +"mitigationModeSuspicious_s",281,"System.String",string +"modelName_s",282,"System.String",string +"networkInterfaces_s",283,"System.String",string +"networkQuarantineEnabled_b",284,"System.SByte",bool +"networkStatus_s",285,"System.String",string +"operationalState_s",286,"System.String",string +"osArch_s",287,"System.String",string +"osName_s",288,"System.String",string +"osRevision_s",289,"System.String",string +"osStartTime_t",290,"System.DateTime",datetime +"osType_s",291,"System.String",string +"rangerStatus_s",292,"System.String",string +"rangerVersion_s",293,"System.String",string +"registeredAt_t",294,"System.DateTime",datetime +"remoteProfilingState_s",295,"System.String",string +"scanFinishedAt_t",296,"System.DateTime",datetime +"scanStartedAt_t",297,"System.DateTime",datetime +"scanStatus_s",298,"System.String",string +"serialNumber_s",299,"System.String",string +"showAlertIcon_b",300,"System.SByte",bool +"tags_sentinelone_s",301,"System.String",string +"threatRebootRequired_b",302,"System.SByte",bool +"totalMemory_d",303,"System.Double",real +"userActionsNeeded_s",304,"System.String",string +"uuid_g",305,"System.String",string +"osUsername_s",306,"System.String",string +"scanAbortedAt_t",307,"System.DateTime",datetime +"activeDirectory_computerDistinguishedName_s",308,"System.String",string +"activeDirectory_lastUserDistinguishedName_s",309,"System.String",string +Type,310,"System.String",string +"_ResourceId",311,"System.String",string