Merge pull request #8668 from jayeshprajapaticrest/SentinelOneNetwork

ASIM Network Session schema parser with its sample and test data for SentinelOne
Azure · Sep 22, 2023 · 75213fe · 75213fe
2 parents 56f1177 + 7675437
commit 75213fe
Show file tree

Hide file tree

Showing 12 changed files with 6,682 additions and 2 deletions.
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json
@@ -1288,6 +1288,10 @@
   {
     "Name": "scanAbortedAt_t",
     "Type": "datetime"
+  },
+  {
+      "Name": "_ItemId",
+      "Type": "string"
   }
 ]
 }
diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
@@ -540,7 +540,7 @@ EventProduct,string,Mandatory,Common,,,
 EventProduct,string,Mandatory,Dhcp,,,
 EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne,
 EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive,
-EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio,
+EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne,
 EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event,
 EventProduct,string,Mandatory,UserManagement,,,
@@ -668,7 +668,7 @@ EventVendor,string,Mandatory,Common,,,
 EventVendor,string,Mandatory,Dhcp,,,
 EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne,
 EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft,
-EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio,
+EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne,
 EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft,
 EventVendor,string,Mandatory,UserManagement,,,
 EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,

diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml
@@ -44,6 +44,7 @@ Parsers:
   - _ASim_NetworkSession_CiscoMeraki
   - _ASim_NetworkSession_CiscoISE
   - _ASim_NetworkSession_BarracudaWAF
+  - _ASim_NetworkSession_SentinelOne
 
 ParserParams:
   - Name: pack
@@ -77,6 +78,7 @@ ParserQuery: |
     , ASimNetworkSessionMicrosoftSysmon               (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon'      in (DisabledParsers) ))
     , ASimNetworkSessionForcePointFirewall            (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall'      in (DisabledParsers) ))
     , ASimNetworkSessionNative                        (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative'      in (DisabledParsers) ))
+    , ASimNetworkSessionSentinelOne                   (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne'      in (DisabledParsers) ))
     , ASimNetworkSessionCiscoMeraki                   (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki'      in (DisabledParsers) ))
     , ASimNetworkSessionCiscoISE                      (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE'      in (DisabledParsers) ))
     , ASimNetworkSessionBarracudaWAF                  (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF'      in (DisabledParsers) ))

diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml
@@ -0,0 +1,153 @@
+Parser:
+  Title: Network Session ASIM filtering parser for SentinelOne
+  Version: '0.1.0'
+  LastUpdated: Sep 18 2023
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: NetworkSession
+  Version: '0.2.6'
+References:
+- Title: ASIM Network Session Schema
+  Link: https://aka.ms/ASimNetworkSessionDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+- Title: SentinelOne Documentation
+- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
+Description: |
+  This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+ParserName: ASimNetworkSessionSentinelOne
+EquivalentBuiltInParser: _ASim_NetworkSession_SentinelOne
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let NetworkDirectionLookup = datatable (
+      alertInfo_netEventDirection_s: string, 
+      NetworkDirection: string
+  )[
+      "OUTGOING", "Outbound",
+      "INCOMING", "Inbound",
+  ];
+  let DeviceTypeLookup = datatable (
+      agentDetectionInfo_machineType_s: string,
+      SrcDeviceType: string
+  )
+      [
+      "desktop", "Computer",
+      "server", "Computer",
+      "laptop", "Computer",
+      "kubernetes node", "Other",
+      "unknown", "Other"
+  ];
+  let ThreatConfidenceLookup_undefined = datatable(
+      alertInfo_analystVerdict_s: string,
+      ThreatConfidence_undefined: int
+  )
+      [
+      "FALSE_POSITIVE", 5,
+      "Undefined", 15,
+      "SUSPICIOUS", 25,
+      "TRUE_POSITIVE", 33 
+  ];
+  let ThreatConfidenceLookup_suspicious = datatable(
+      alertInfo_analystVerdict_s: string,
+      ThreatConfidence_suspicious: int
+  )
+      [
+      "FALSE_POSITIVE", 40,
+      "Undefined", 50,
+      "SUSPICIOUS", 60,
+      "TRUE_POSITIVE", 67 
+  ];
+  let ThreatConfidenceLookup_malicious = datatable(
+      alertInfo_analystVerdict_s: string,
+      ThreatConfidence_malicious: int
+  )
+      [
+      "FALSE_POSITIVE", 75,
+      "Undefined", 80,
+      "SUSPICIOUS", 90,
+      "TRUE_POSITIVE", 100 
+  ];
+  let parser = (disabled: bool=false) {
+      let alldata = SentinelOne_CL
+          | where not(disabled) 
+              and event_name_s == "Alerts." 
+              and alertInfo_eventType_s == "TCPV4"
+          | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s
+          | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;
+      let undefineddata = alldata
+          | where ruleInfo_treatAsThreat_s == "UNDEFINED"
+          | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;
+      let suspiciousdata = alldata
+          | where ruleInfo_treatAsThreat_s == "Suspicious"
+          | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;
+      let maliciousdata = alldata
+          | where ruleInfo_treatAsThreat_s == "Malicious"
+          | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;
+      union undefineddata, suspiciousdata, maliciousdata
+      | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')
+      | extend 
+          DstPortNumber = toint(alertInfo_dstPort_s),
+          SrcPortNumber = toint(alertInfo_srcPort_s),
+          ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)
+      | project-rename
+          EventStartTime = sourceProcessInfo_pidStarttime_t,
+          DstIpAddr = alertInfo_dstIp_s,
+          EventUid = _ItemId,
+          SrcIpAddr = alertInfo_srcIp_s,
+          DvcId = agentDetectionInfo_uuid_g,
+          DvcOs = agentDetectionInfo_osName_s,
+          DvcOsVersion = agentDetectionInfo_osRevision_s,
+          EventOriginalSeverity = ruleInfo_severity_s,
+          EventOriginalUid = alertInfo_dvEventId_s,
+          SrcProcessName = sourceProcessInfo_name_s,
+          SrcProcessId = sourceProcessInfo_pid_s,
+          SrcUsername = sourceProcessInfo_user_s,
+          ThreatOriginalConfidence = ruleInfo_treatAsThreat_s
+      | extend
+          EventEndTime = EventStartTime,
+          Dst = DstIpAddr,
+          DvcIpAddr = SrcIpAddr,
+          Src = SrcIpAddr,
+          SrcHostname = DvcHostname,
+          SrcDvcId = DvcId,
+          IpAddr = SrcIpAddr,
+          EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity),
+          SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),
+          SrcUserType = _ASIM_GetUserType(SrcUsername, "")
+      | extend
+          Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),
+          Hostname = SrcHostname
+      | extend
+          EventCount = int(1),
+          EventProduct = "SentinelOne",
+          EventResult = "Success",
+          DvcAction = "Allow",
+          EventSchema = "NetworkSession",
+          EventSchemaVersion = "0.2.6",
+          EventResultDetails = "NA",
+          EventType = "EndpointNetworkSession",
+          EventVendor = "SentinelOne",
+          NetworkProtocol = "TCP",
+          NetworkProtocolVersion = "IPv4"
+      | project-away
+          *_d,
+          *_s,
+          *_g,
+          *_t,
+          *_b,
+          _ResourceId,
+          TenantId,
+          RawData,
+          Computer,
+          MG,
+          ManagementGroupName,
+          SourceSystem,
+          ThreatConfidence_*
+  };
+  parser(disabled = disabled)
diff --git a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
@@ -42,6 +42,7 @@ Parsers:
   - _Im_NetworkSession_CiscoMeraki
   - _Im_NetworkSession_CiscoISE
   - _Im_NetworkSession_BarracudaWAF
+  - _Im_NetworkSession_SentinelOne
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -109,6 +110,7 @@ ParserQuery: |
     , vimNetworkSessionCiscoASA                        (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA'      in (DisabledParsers) ))
     , vimNetworkSessionForcePointFirewall              (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall'      in (DisabledParsers) ))
     , vimNetworkSessionNative                          (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative'      in (DisabledParsers) ))
+    , vimNetworkSessionSentinelOne                     (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne'      in (DisabledParsers) ))
     , vimNetworkSessionCiscoMeraki                     (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki'      in (DisabledParsers) ))
     , vimNetworkSessionCiscoISE                        (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE'      in (DisabledParsers) ))
     , vimNetworkSessionBarracudaWAF                    (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF'      in (DisabledParsers) ))