diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index 4ea5a75943b..18d68ce1869 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -1288,6 +1288,10 @@ { "Name": "scanAbortedAt_t", "Type": "datetime" + }, + { + "Name": "_ItemId", + "Type": "string" } ] } \ No newline at end of file diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index 28d6816b38c..9757552a75d 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -540,7 +540,7 @@ EventProduct,string,Mandatory,Common,,, EventProduct,string,Mandatory,Dhcp,,, EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne, EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive, -EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio, +EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne, EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events, EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event, EventProduct,string,Mandatory,UserManagement,,, @@ -668,7 +668,7 @@ EventVendor,string,Mandatory,Common,,, EventVendor,string,Mandatory,Dhcp,,, EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne, EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft, -EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio, +EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne, EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft, EventVendor,string,Mandatory,UserManagement,,, EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr, diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml index bf45062d7ae..1a71b12372a 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml @@ -44,6 +44,7 @@ Parsers: - _ASim_NetworkSession_CiscoMeraki - _ASim_NetworkSession_CiscoISE - _ASim_NetworkSession_BarracudaWAF + - _ASim_NetworkSession_SentinelOne ParserParams: - Name: pack @@ -77,6 +78,7 @@ ParserQuery: | , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) )) , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) )) , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) )) + , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) )) , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) )) , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) )) , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) )) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml new file mode 100644 index 00000000000..c9f29c5e133 --- /dev/null +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionSentinelOne.yaml @@ -0,0 +1,153 @@ +Parser: + Title: Network Session ASIM filtering parser for SentinelOne + Version: '0.1.0' + LastUpdated: Sep 18 2023 +Product: + Name: SentinelOne +Normalization: + Schema: NetworkSession + Version: '0.2.6' +References: +- Title: ASIM Network Session Schema + Link: https://aka.ms/ASimNetworkSessionDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: ASimNetworkSessionSentinelOne +EquivalentBuiltInParser: _ASim_NetworkSession_SentinelOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let NetworkDirectionLookup = datatable ( + alertInfo_netEventDirection_s: string, + NetworkDirection: string + )[ + "OUTGOING", "Outbound", + "INCOMING", "Inbound", + ]; + let DeviceTypeLookup = datatable ( + agentDetectionInfo_machineType_s: string, + SrcDeviceType: string + ) + [ + "desktop", "Computer", + "server", "Computer", + "laptop", "Computer", + "kubernetes node", "Other", + "unknown", "Other" + ]; + let ThreatConfidenceLookup_undefined = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_undefined: int + ) + [ + "FALSE_POSITIVE", 5, + "Undefined", 15, + "SUSPICIOUS", 25, + "TRUE_POSITIVE", 33 + ]; + let ThreatConfidenceLookup_suspicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_suspicious: int + ) + [ + "FALSE_POSITIVE", 40, + "Undefined", 50, + "SUSPICIOUS", 60, + "TRUE_POSITIVE", 67 + ]; + let ThreatConfidenceLookup_malicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_malicious: int + ) + [ + "FALSE_POSITIVE", 75, + "Undefined", 80, + "SUSPICIOUS", 90, + "TRUE_POSITIVE", 100 + ]; + let parser = (disabled: bool=false) { + let alldata = SentinelOne_CL + | where not(disabled) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "TCPV4" + | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s; + let undefineddata = alldata + | where ruleInfo_treatAsThreat_s == "UNDEFINED" + | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s; + let suspiciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Suspicious" + | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s; + let maliciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Malicious" + | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s; + union undefineddata, suspiciousdata, maliciousdata + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') + | extend + DstPortNumber = toint(alertInfo_dstPort_s), + SrcPortNumber = toint(alertInfo_srcPort_s), + ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious) + | project-rename + EventStartTime = sourceProcessInfo_pidStarttime_t, + DstIpAddr = alertInfo_dstIp_s, + EventUid = _ItemId, + SrcIpAddr = alertInfo_srcIp_s, + DvcId = agentDetectionInfo_uuid_g, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, + EventOriginalSeverity = ruleInfo_severity_s, + EventOriginalUid = alertInfo_dvEventId_s, + SrcProcessName = sourceProcessInfo_name_s, + SrcProcessId = sourceProcessInfo_pid_s, + SrcUsername = sourceProcessInfo_user_s, + ThreatOriginalConfidence = ruleInfo_treatAsThreat_s + | extend + EventEndTime = EventStartTime, + Dst = DstIpAddr, + DvcIpAddr = SrcIpAddr, + Src = SrcIpAddr, + SrcHostname = DvcHostname, + SrcDvcId = DvcId, + IpAddr = SrcIpAddr, + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity), + SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), + SrcUserType = _ASIM_GetUserType(SrcUsername, "") + | extend + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr), + Hostname = SrcHostname + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + DvcAction = "Allow", + EventSchema = "NetworkSession", + EventSchemaVersion = "0.2.6", + EventResultDetails = "NA", + EventType = "EndpointNetworkSession", + EventVendor = "SentinelOne", + NetworkProtocol = "TCP", + NetworkProtocolVersion = "IPv4" + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + _ResourceId, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem, + ThreatConfidence_* + }; + parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml index 53a2b63de9d..bdcdbd846bc 100644 --- a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml @@ -42,6 +42,7 @@ Parsers: - _Im_NetworkSession_CiscoMeraki - _Im_NetworkSession_CiscoISE - _Im_NetworkSession_BarracudaWAF + - _Im_NetworkSession_SentinelOne ParserParams: - Name: starttime Type: datetime @@ -109,6 +110,7 @@ ParserQuery: | , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) )) , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) )) , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) )) + , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) )) , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) )) , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) )) , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) )) diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml new file mode 100644 index 00000000000..7a6594d524c --- /dev/null +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionSentinelOne.yaml @@ -0,0 +1,228 @@ +Parser: + Title: Network Session ASIM filtering parser for SentinelOne + Version: '0.1.0' + LastUpdated: Sep 18 2023 +Product: + Name: SentinelOne +Normalization: + Schema: NetworkSession + Version: '0.2.6' +References: +- Title: ASIM Network Session Schema + Link: https://aka.ms/ASimNetworkSessionDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: vimNetworkSessionSentinelOne +EquivalentBuiltInParser: _Im_NetworkSession_SentinelOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dstipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dstportnumber + Type: int + Default: int(null) + - Name: dvcaction + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let NetworkDirectionLookup = datatable ( + alertInfo_netEventDirection_s: string, + NetworkDirection: string + )[ + "OUTGOING", "Outbound", + "INCOMING", "Inbound", + ]; + let DeviceTypeLookup = datatable ( + agentDetectionInfo_machineType_s: string, + SrcDeviceType: string + ) + [ + "desktop", "Computer", + "server", "Computer", + "laptop", "Computer", + "kubernetes node", "Other", + "unknown", "Other" + ]; + let ThreatConfidenceLookup_undefined = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_undefined: int + ) + [ + "FALSE_POSITIVE", 5, + "Undefined", 15, + "SUSPICIOUS", 25, + "TRUE_POSITIVE", 33 + ]; + let ThreatConfidenceLookup_suspicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_suspicious: int + ) + [ + "FALSE_POSITIVE", 40, + "Undefined", 50, + "SUSPICIOUS", 60, + "TRUE_POSITIVE", 67 + ]; + let ThreatConfidenceLookup_malicious = datatable( + alertInfo_analystVerdict_s: string, + ThreatConfidence_malicious: int + ) + [ + "FALSE_POSITIVE", 75, + "Undefined", 80, + "SUSPICIOUS", 90, + "TRUE_POSITIVE", 100 + ]; + let parser=( + disabled: bool=false, + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + eventresult: string='*', + srcipaddr_has_any_prefix: dynamic=dynamic([]), + dstipaddr_has_any_prefix: dynamic=dynamic([]), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + dstportnumber: int=int(null), + dvcaction: dynamic=dynamic([]) + ) { + let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); + let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); + let alldata = SentinelOne_CL + | where not(disabled) + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and event_name_s == "Alerts." + and alertInfo_eventType_s == "TCPV4" + and (eventresult == "*" or eventresult == "Success") + and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber) + and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any)) + and (array_length(dvcaction) == 0 or dvcaction has_any ("Allow")) + | extend + temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any), + temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any) + | extend + ASimMatchingIpAddr=case( + array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, + "-", + temp_SrcMatch and temp_DstMatch, + "Both", + temp_SrcMatch, + "SrcIpAddr", + temp_DstMatch, + "DstIpAddr", + "No match" + ), + ASimMatchingHostname = "SrcHostname" + | where ASimMatchingIpAddr != "No match"; + let undefineddata = alldata + | where ruleInfo_treatAsThreat_s == "UNDEFINED" + | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s; + let suspiciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Suspicious" + | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s; + let maliciousdata = alldata + | where ruleInfo_treatAsThreat_s == "Malicious" + | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s; + union undefineddata, suspiciousdata, maliciousdata + | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s + | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s + | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') + | extend + DstPortNumber = toint(alertInfo_dstPort_s), + SrcPortNumber = toint(alertInfo_srcPort_s), + ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious) + | project-rename + EventStartTime = sourceProcessInfo_pidStarttime_t, + DstIpAddr = alertInfo_dstIp_s, + EventUid = _ItemId, + SrcIpAddr = alertInfo_srcIp_s, + DvcId = agentDetectionInfo_uuid_g, + DvcOs = agentDetectionInfo_osName_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, + EventOriginalSeverity = ruleInfo_severity_s, + EventOriginalUid = alertInfo_dvEventId_s, + SrcProcessName = sourceProcessInfo_name_s, + SrcProcessId = sourceProcessInfo_pid_s, + SrcUsername = sourceProcessInfo_user_s, + ThreatOriginalConfidence = ruleInfo_treatAsThreat_s + | extend + EventEndTime = EventStartTime, + Dst = DstIpAddr, + DvcIpAddr = SrcIpAddr, + Src = SrcIpAddr, + SrcHostname = DvcHostname, + SrcDvcId = DvcId, + IpAddr = SrcIpAddr, + EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity), + SrcDvcIdType = iff(isnotempty(DvcId), "Other", ""), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), + SrcUserType = _ASIM_GetUserType(SrcUsername, "") + | extend + Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr), + Hostname = SrcHostname + | extend + EventCount = int(1), + EventProduct = "SentinelOne", + EventResult = "Success", + DvcAction = "Allow", + EventSchema = "NetworkSession", + EventSchemaVersion = "0.2.6", + EventResultDetails = "NA", + EventType = "EndpointNetworkSession", + EventVendor = "SentinelOne", + NetworkProtocol = "TCP", + NetworkProtocolVersion = "IPv4" + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + _ResourceId, + temp*, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem, + ThreatConfidence_* + }; + parser( + disabled=disabled, + starttime=starttime, + endtime=endtime, + eventresult=eventresult, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, + ipaddr_has_any_prefix=ipaddr_has_any_prefix, + hostname_has_any=hostname_has_any, + dstportnumber=dstportnumber, + dvcaction=dvcaction + ) \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv new file mode 100644 index 00000000000..5a9ed0ce555 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUserType] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)" +"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv new file mode 100644 index 00000000000..50af1297f20 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_ASimNetworkSession_SchemaTest.csv @@ -0,0 +1,107 @@ +Result +"(1) Warning: Missing recommended field [ASimMatchingHostname]" +"(1) Warning: Missing recommended field [ASimMatchingIpAddr]" +"(1) Warning: Missing recommended field [DstDomain]" +"(1) Warning: Missing recommended field [DstHostname]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" +"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" +"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" +"(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DstAppId]" +"(2) Info: Missing optional field [DstAppName]" +"(2) Info: Missing optional field [DstAppType]" +"(2) Info: Missing optional field [DstBytes]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstInterfaceGuid]" +"(2) Info: Missing optional field [DstInterfaceName]" +"(2) Info: Missing optional field [DstMacAddr]" +"(2) Info: Missing optional field [DstNatIpAddr]" +"(2) Info: Missing optional field [DstNatPortNumber]" +"(2) Info: Missing optional field [DstOriginalUserType]" +"(2) Info: Missing optional field [DstPackets]" +"(2) Info: Missing optional field [DstProcessGuid]" +"(2) Info: Missing optional field [DstProcessId]" +"(2) Info: Missing optional field [DstProcessName]" +"(2) Info: Missing optional field [DstScopeId]" +"(2) Info: Missing optional field [DstUserId]" +"(2) Info: Missing optional field [DstUserType]" +"(2) Info: Missing optional field [DstUsername]" +"(2) Info: Missing optional field [DstVlanId]" +"(2) Info: Missing optional field [DstZone]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcInboundInterface]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOutboundInterface]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkApplicationProtocol]" +"(2) Info: Missing optional field [NetworkBytes]" +"(2) Info: Missing optional field [NetworkConnectionHistory]" +"(2) Info: Missing optional field [NetworkDuration]" +"(2) Info: Missing optional field [NetworkIcmpCode]" +"(2) Info: Missing optional field [NetworkIcmpType]" +"(2) Info: Missing optional field [NetworkPackets]" +"(2) Info: Missing optional field [NetworkRuleName]" +"(2) Info: Missing optional field [NetworkRuleNumber]" +"(2) Info: Missing optional field [NetworkSessionId]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcAppId]" +"(2) Info: Missing optional field [SrcAppName]" +"(2) Info: Missing optional field [SrcAppType]" +"(2) Info: Missing optional field [SrcBytes]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcInterfaceGuid]" +"(2) Info: Missing optional field [SrcInterfaceName]" +"(2) Info: Missing optional field [SrcMacAddr]" +"(2) Info: Missing optional field [SrcNatIpAddr]" +"(2) Info: Missing optional field [SrcNatPortNumber]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPackets]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcScopeId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcVlanId]" +"(2) Info: Missing optional field [SrcZone]" +"(2) Info: Missing optional field [TcpFlagsAck]" +"(2) Info: Missing optional field [TcpFlagsFin]" +"(2) Info: Missing optional field [TcpFlagsPsh]" +"(2) Info: Missing optional field [TcpFlagsRst]" +"(2) Info: Missing optional field [TcpFlagsSyn]" +"(2) Info: Missing optional field [TcpFlagsUrg]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv new file mode 100644 index 00000000000..5a9ed0ce555 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 11382 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUserType] (Schema:NetworkSession)" +"(2) Info: Empty value in 10986 records (96.52%) in optional field [SrcUsername] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in optional field [DvcFQDN] (Schema:NetworkSession)" +"(2) Info: Empty value in 1718 records (15.09%) in recommended field [DvcDomain] (Schema:NetworkSession)" +"(2) Info: Empty value in 2 records (0.02%) in optional field [SrcProcessName] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv new file mode 100644 index 00000000000..77b1fa0c1f6 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/SentinelOne_vimNetworkSession_SchemaTest.csv @@ -0,0 +1,105 @@ +Result +"(1) Warning: Missing recommended field [DstDomain]" +"(1) Warning: Missing recommended field [DstHostname]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]" +"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" +"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" +"(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DstAppId]" +"(2) Info: Missing optional field [DstAppName]" +"(2) Info: Missing optional field [DstAppType]" +"(2) Info: Missing optional field [DstBytes]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstInterfaceGuid]" +"(2) Info: Missing optional field [DstInterfaceName]" +"(2) Info: Missing optional field [DstMacAddr]" +"(2) Info: Missing optional field [DstNatIpAddr]" +"(2) Info: Missing optional field [DstNatPortNumber]" +"(2) Info: Missing optional field [DstOriginalUserType]" +"(2) Info: Missing optional field [DstPackets]" +"(2) Info: Missing optional field [DstProcessGuid]" +"(2) Info: Missing optional field [DstProcessId]" +"(2) Info: Missing optional field [DstProcessName]" +"(2) Info: Missing optional field [DstScopeId]" +"(2) Info: Missing optional field [DstUserId]" +"(2) Info: Missing optional field [DstUserType]" +"(2) Info: Missing optional field [DstUsername]" +"(2) Info: Missing optional field [DstVlanId]" +"(2) Info: Missing optional field [DstZone]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcInboundInterface]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOutboundInterface]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkApplicationProtocol]" +"(2) Info: Missing optional field [NetworkBytes]" +"(2) Info: Missing optional field [NetworkConnectionHistory]" +"(2) Info: Missing optional field [NetworkDuration]" +"(2) Info: Missing optional field [NetworkIcmpCode]" +"(2) Info: Missing optional field [NetworkIcmpType]" +"(2) Info: Missing optional field [NetworkPackets]" +"(2) Info: Missing optional field [NetworkRuleName]" +"(2) Info: Missing optional field [NetworkRuleNumber]" +"(2) Info: Missing optional field [NetworkSessionId]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcAppId]" +"(2) Info: Missing optional field [SrcAppName]" +"(2) Info: Missing optional field [SrcAppType]" +"(2) Info: Missing optional field [SrcBytes]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcInterfaceGuid]" +"(2) Info: Missing optional field [SrcInterfaceName]" +"(2) Info: Missing optional field [SrcMacAddr]" +"(2) Info: Missing optional field [SrcNatIpAddr]" +"(2) Info: Missing optional field [SrcNatPortNumber]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPackets]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcScopeId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcVlanId]" +"(2) Info: Missing optional field [SrcZone]" +"(2) Info: Missing optional field [TcpFlagsAck]" +"(2) Info: Missing optional field [TcpFlagsFin]" +"(2) Info: Missing optional field [TcpFlagsPsh]" +"(2) Info: Missing optional field [TcpFlagsRst]" +"(2) Info: Missing optional field [TcpFlagsSyn]" +"(2) Info: Missing optional field [TcpFlagsUrg]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" diff --git a/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv new file mode 100644 index 00000000000..b78c519ba01 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedEventsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 5:10:03 AM",,,,,,,,1.1.1.1,21,OUTGOING,2.2.2.1,11,,,,,,,,,,,,,,,,,,,,,,,,,,747ffc62-5417-49b6-b4ea-5109c4ec9e4f,747ffc61-1824-0304-10ba-8cc565a15646,7487986b-0982-122d-e993-6113156f70ed,7488937b-7a34-81e9-e4c7-434a2e49cf39,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736709934432915550,Undefined,"7/25/2023, 4:52:24 AM",01H65P81VTDWS403SH4ZN0JS9T_0,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 4:52:37 AM",STAR,"7/25/2023, 4:52:37 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED, /usr/lib/systemd/systemd --switched-root --system --deserialize 22,,d00e622d514a3351de5cede74496dd50c65fbabb,,/usr/lib/systemd/systemd,,unknown,systemd,1,"7/24/2023, 4:49:44 AM",,unknown,,, /usr/local/demisto/d1_Test2/d1,,27141d28091ab8527a01da1f02a2e8cf5a2bc95a,,/usr/local/demisto/d1_Test2/d1,,unknown,d1,1279,"7/24/2023, 4:50:27 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.2,22,OUTGOING,2.2.2.2,12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738442842154293,Undefined,"7/25/2023, 5:49:10 AM",01H65SG50RP78BRBAJ4ZGDQGGF_10,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2084,"7/17/2023, 10:22:47 AM",D83C0EF580778F51,sys_win32,D73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.3,23,OUTGOING,2.2.2.3,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738444335326608,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_22,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k utcsvc -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,4604,"7/17/2023, 10:22:49 AM",553D0EF580778F51,sys_win32,543D0EF580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.4,23,OUTGOING,2.2.2.4,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738445736224238,Undefined,"7/25/2023, 5:49:09 AM",01H65SG2PQ023350V5K0TTCRKP_16,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:16 AM",STAR,"7/25/2023, 5:49:16 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,sihost.exe,e5a23407-157b-23f3-c244-1d412163e4ee,e8d9750e757e5b580c56521a81ed0cc41d327d82,51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13,C:\Windows\System32\sihost.exe,MICROSOFT WINDOWS,medium,sihost.exe,3160,"7/21/2023, 4:49:44 AM",9C8612F580778F51,sys_win32,9B8612F580778F51,CLO007\Crest,"""C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca",0d7ce0d4-741a-a223-0f5a-618a796f4739,f456a426618804abec06fd5883219c4c6eace180,8b5b969143e22d8f27d919948e30aff8594c15c3c69b42bbafa23551e1dc0c68,C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe,MICROSOFT WINDOWS,low,SearchHost.exe,1160,"7/21/2023, 4:49:46 AM",CD8712F580778F51,sys_win32,CC8712F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.5,23,OUTGOING,2.2.2.5,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738460617615382,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_32,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:18 AM",STAR,"7/25/2023, 5:49:18 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1576,"7/17/2023, 10:22:47 AM",B83C0EF580778F51,sys_win32,B73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.6,23,OUTGOING,2.2.2.6,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738491395419873,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_425,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:22 AM",STAR,"7/25/2023, 5:49:22 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --user-data-dir=""C:\Users\Crest\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --disable-features=MojoIpcz,msWebOOUI --edge-webview-is-background --enable-features=msSingleSignOnOSForPrimaryAccountIsShared,msEdgeFluentOverlayScrollbar,msWebView2CodeCache,msWebView2EnableDraggableRegions --mojo-named-platform-channel-pipe=9452.304.14872043078598792820 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a",0f259745-8e7a-c81b-049d-45ef5b291246,bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32,0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4,C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe,MICROSOFT CORPORATION,medium,msedgewebview2.exe,7280,"7/25/2023, 5:36:56 AM",C9B312F580778F51,sys_win32,CFB512F580778F51,CLO007\Crest,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe"" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir=""C:\Users\Crest\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView"" --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --mojo-platform-channel-handle=2072 --field-trial-handle=1892,i,4999416576109179693,17961817705433260896,262144 --enable-features=msEdgeFluentOverlayScrollbar,msSingleSignOnOSForPrimaryAccountIsShared,msWebView2CodeCache,msWebView2EnableDraggableRegions --disable-features=MojoIpcz,msWebOOUI /prefetch:3 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a",0f259745-8e7a-c81b-049d-45ef5b291246,bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32,0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4,C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.82\msedgewebview2.exe,MICROSOFT CORPORATION,medium,msedgewebview2.exe,4144,"7/25/2023, 5:36:56 AM",C9B312F580778F51,sys_win32,EAB512F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.7,23,OUTGOING,2.2.2.7,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738492846649072,Undefined,"7/25/2023, 5:49:10 AM",01H65SG50RP78BRBAJ4ZGDQGGF_8,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:22 AM",STAR,"7/25/2023, 5:49:22 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2692,"7/17/2023, 10:22:48 AM",FC3C0EF580778F51,sys_win32,FB3C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.8,23,OUTGOING,2.2.2.8,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738499473649861,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_3,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k NetworkService -p,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,8620,"7/17/2023, 10:33:11 AM",4E4B0EF580778F51,sys_win32,4D4B0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.9,23,OUTGOING,2.2.2.9,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738500874547448,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_432,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,sihost.exe,e5a23407-157b-23f3-c244-1d412163e4ee,e8d9750e757e5b580c56521a81ed0cc41d327d82,51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13,C:\Windows\System32\sihost.exe,MICROSOFT WINDOWS,medium,sihost.exe,13788,"7/25/2023, 5:36:13 AM",B2B112F580778F51,sys_win32,B1B112F580778F51,CLO007\Crest,"""C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca",4bd84472-eca2-b69a-0391-f61fa50d0f31,0ca4bcd60601ec0d8602d4f5994cb0393edb892b,c1fc7f6cb2228ee6386d91f27f1a61ae60a63deefb21d78bb810b7f027f1a489,C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe,MICROSOFT WINDOWS,low,StartMenuExperienceHost.exe,4524,"7/25/2023, 5:36:15 AM",B5B212F580778F51,sys_win32,B4B212F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.10,23,OUTGOING,2.2.2.10,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738502325776707,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_29,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:23 AM",STAR,"7/25/2023, 5:49:23 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,10972,"7/25/2023, 5:28:16 AM",09AB12F580778F51,sys_win32,08AB12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.11,23,OUTGOING,2.2.2.11,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738511318364930,Undefined,"7/25/2023, 5:49:11 AM",01H65SG9CAMBQHFPH0TJD6EYXN_434,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:24 AM",STAR,"7/25/2023, 5:49:24 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1752,"7/17/2023, 10:22:47 AM",C43C0EF580778F51,sys_win32,C33C0EF580778F51,NT AUTHORITY\SYSTEM,"""C:\Windows\system32\wermgr.exe"" -upload",b2eb37f1-bd88-302c-2f15-0217722a8c9f,d8e0c1e1ad99a38f3a84414d5af7b761bf0eb924,a4c41c6c4e1d0fadc9bd3313a3d0e329517f400bd8908dd8c70ac69758e60875,C:\Windows\System32\wermgr.exe,MICROSOFT WINDOWS,system,wermgr.exe,5488,"7/25/2023, 5:37:03 AM",34B612F580778F51,sys_win32,33B612F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:00:06 AM",,,,,,,,1.1.1.12,23,OUTGOING,2.2.2.12,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736738514782860324,Undefined,"7/25/2023, 5:49:14 AM",01H65SGAGCE4JDGCGC1GCKNT9S_9,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 5:49:24 AM",STAR,"7/25/2023, 5:49:24 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,11436,"7/25/2023, 5:34:08 AM",FEAE12F580778F51,sys_win32,FDAE12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:40:04 AM",,,,,,,,1.1.1.13,23,OUTGOING,2.2.2.13,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736756505571408611,Undefined,"7/25/2023, 6:24:58 AM",01H65VHMRC71Y2GK2M458J2WMW_15,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 6:25:09 AM",STAR,"7/25/2023, 6:25:09 AM",1736743171400115521,CWL547,1,events,"EndpointName = ""CLO007""",account,Medium,UNDEFINED,C:\Windows\system32\services.exe,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,C:\Windows\System32\services.exe,MICROSOFT WINDOWS PUBLISHER,system,services.exe,8,"7/17/2023, 10:22:47 AM",433C0EF580778F51,sys_win32,423C0EF580778F51,NT AUTHORITY\SYSTEM,C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,2084,"7/17/2023, 10:22:47 AM",D83C0EF580778F51,sys_win32,D73C0EF580778F51,NT AUTHORITY\NETWORK SERVICE,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 6:40:04 AM",,,,,,,,1.1.1.14,23,OUTGOING,2.2.2.14,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736757508513437640,Undefined,"7/25/2023, 6:27:00 AM",01H65VN9YVSBR9FGDK3RJX7NKK_10,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 6:27:09 AM",STAR,"7/25/2023, 6:27:09 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,C:\Windows\System32\svchost.exe,MICROSOFT WINDOWS,system,svchost.exe,1752,"7/17/2023, 10:22:47 AM",C43C0EF580778F51,sys_win32,C33C0EF580778F51,NT AUTHORITY\SYSTEM,taskhostw.exe,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,C:\Windows\System32\taskhostw.exe,MICROSOFT WINDOWS,system,taskhostw.exe,8648,"7/25/2023, 6:26:34 AM",24DB12F580778F51,sys_win32,23DB12F580778F51,NT AUTHORITY\SYSTEM,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.15,23,OUTGOING,2.2.2.15,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cd7ac1-1fda-d623-2eeb-83dc0120218e,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cd7ad0-4345-18d1-a5b9-d71c6f5dbfd4,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872444737646416,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_55,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:30 AM",STAR,"7/25/2023, 10:15:30 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251: /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32168,"7/25/2023, 10:15:07 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251: /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32169,"7/25/2023, 10:15:07 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.16,23,OUTGOING,2.2.2.16,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75c81424-5cc1-1e7f-759b-b468bd0aba1c,75bf528b-1526-ba0d-f9b8-1974a96d2487,75c81438-dfdb-a964-e1c3-995f5d9d27d1,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872477948148980,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_7,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:34 AM",STAR,"7/25/2023, 10:15:34 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4/ /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32151,"7/25/2023, 10:14:44 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/bucket4/ /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32152,"7/25/2023, 10:14:44 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.17,23,OUTGOING,2.2.2.17,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cb6e81-9423-24c7-acca-7e20e111bbad,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cb6e91-9565-7ee1-8767-b8a1f763de24,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872503055255672,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_15,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:37 AM",STAR,"7/25/2023, 10:15:37 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4 /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32157,"7/25/2023, 10:14:59 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/bucket4 /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32158,"7/25/2023, 10:14:59 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 10:30:03 AM",,,,,,,,1.1.1.18,23,OUTGOING,2.2.2.18,14,,,,,,,,,,,,,,,,,,,,,,,,,,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cc5c9d-5f8f-28b3-b1fa-4ffaff168531,75bf528b-1526-ba0d-f9b8-1974a96d2487,75cc5cb4-12a0-4cb0-cb0c-5678f97e3718,,,server,cent7,linux,Linux,CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64,6a01777a-1992-45e9-ae8c-5dcfd4475f87,23.1.2.9,1713059693172741297,FALSE,TRUE,FALSE,server,cent7,linux,6a01777a-1992-45e9-ae8c-5dcfd4475f87,1736872508449131071,Undefined,"7/25/2023, 10:15:22 AM",01H668QFMWS1BRZA6EAHDVWFN0_51,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 10:15:38 AM",STAR,"7/25/2023, 10:15:38 AM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED," mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/ /root/nfsdir",,f6d5066df72ae947089cb3762679c54f61d7c97f,,/usr/bin/mount,,unknown,mount,32166,"7/25/2023, 10:15:03 AM",,unknown,,, /sbin/mount.nfs 10.50.3.251:/ns2/ /root/nfsdir,,2894ddd5adc4c4f89d6171feb966ee8db03e3d48,,/sbin/mount.nfs,,unknown,mount.nfs,32167,"7/25/2023, 10:15:03 AM",,unknown,,,"1/1/1970, 12:00:00 AM",,,,unsigned,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 2:00:04 PM",,,,,,,,1.1.1.19,23,OUTGOING,2.2.2.19,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736978424395258117,Undefined,"7/25/2023, 1:45:59 PM",01H66MS4AHVPK6ZSZA1W047SMR_278,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 1:46:04 PM",STAR,"7/25/2023, 1:46:04 PM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Windows\Explorer.EXE,357b678c-68d3-d5ee-86e1-b706fbfd994b,a4e4e2bc502e4ab249b219da357d1aad163ab175,8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b,C:\Windows\explorer.exe,MICROSOFT WINDOWS,medium,explorer.exe,14472,"7/25/2023, 5:42:20 AM",FEBB12F580778F51,sys_win32,FDBB12F580778F51,CLO007\Crest,C:\Windows\System32\smartscreen.exe -Embedding,8b71524d-b619-2b9a-1967-1156e27b1826,4549fabd13aaf136087a4501682eb2559eaafdbb,83c9bd1ff0dd424a841cd1b22993e09e16d1339501070613236b0d1f8bff92bc,C:\Windows\System32\smartscreen.exe,MICROSOFT WINDOWS,medium,smartscreen.exe,14528,"7/25/2023, 1:45:28 PM",E0E912F580778F51,sys_win32,DFE912F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 2:00:04 PM",,,,,,,,1.1.1.20,23,OUTGOING,2.2.2.20,14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,laptop,CLO007,windows,Windows 11 Pro,22621,f25c1ccd-5039-4dcf-812e-79a2aede6358,23.1.2.400,1730979466865875730,FALSE,TRUE,FALSE,laptop,CLO007,windows,f25c1ccd-5039-4dcf-812e-79a2aede6358,1736978447346490503,Undefined,"7/25/2023, 1:45:59 PM",01H66MS4AHVPK6ZSZA1W047SMR_22,TCPV4,Events,Unresolved,TRUE,"7/25/2023, 1:46:07 PM",STAR,"7/25/2023, 1:46:07 PM",1733309646016098581,IP Connect & IP List,1,events,"EventType = ""IP Connect"" OR EventType = ""IP Listen""",account,Low,UNDEFINED,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix,8d5ca829-19d6-6439-685d-dd97dca650c6,81c0122bc0adc75ce71912504b8d72825aecad35,7dfe00a315c1e6956eb32c9d12fc809998590d15de1820b34b6d9ca7aa109b88,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe,MICROSOFT CORPORATION,medium,OneDriveSetup.exe,5412,"7/25/2023, 5:46:58 AM",70BC12F580778F51,sys_win32,19BF12F580778F51,CLO007\Crest, /updateInstalled /background,174826c7-8c0a-a36d-a145-7e711e4c9e80,56ee9857c7a0643d6f6d5e56c3f4689bb1499829,159e208d7211b71b5dad89771bf1fc047de839bcb8e68475f248a051d2ebaa02,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDrive.exe,MICROSOFT CORPORATION,medium,OneDrive.exe,2204,"7/25/2023, 5:47:11 AM",70BC12F580778F51,sys_win32,42CD12F580778F51,CLO007\Crest,"1/1/1970, 12:00:00 AM",,,,signed,"1/1/1970, 12:00:00 AM",,unknown,"1/1/1970, 12:00:00 AM",,,,,,,,,,,,,,1712500237934148927,,,,,,,,,,,,,,,,1712500242422055104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Alerts.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json new file mode 100644 index 00000000000..7155625710d --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimNetworkSession_RawLogs.json @@ -0,0 +1,6042 @@ +[ + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 5:10:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "0f81ec00-9e52-48e6-b899-eb3bbeede741", + "alertInfo_dstIp": "1.1.1.1", + "alertInfo_dstPort": 21, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.1", + "alertInfo_srcPort": 11, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "73ffd9f9-7430-51bf-89fd-275f31272868", + "targetProcessInfo_tgtProcUid": "73ffdf8e-0a44-5079-fd74-243fc15cbe7e", + "sourceParentProcessInfo_storyline": "73ffdf8e-0a44-5079-fd74-243fc15cbe7c", + "sourceParentProcessInfo_uniqueId": "73ffdf8e-0a44-5079-fd74-243fc15cbe7d", + "sourceProcessInfo_storyline": "73ffdf8e-0a33-5079-fd74-243fc15cbe7c", + "sourceProcessInfo_uniqueId": "73ffdf8e-0a22-5079-fd74-243fc15cbe7c", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736709934432915500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 4:52:24 AM", + "alertInfo_dvEventId": "01H65P81VTDWS403SH4ZN0JS9T_0", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 4:52:37 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 4:52:37 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "d00e622d514a3351de5cede74496dd50c65fbabb", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/lib/systemd/systemd", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "systemd", + "sourceParentProcessInfo_pid": 1, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/24/2023, 4:49:44 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/local/demisto/d1_Test2/d1", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "27141d28091ab8527a01da1f02a2e8cf5a2bc95a", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/local/demisto/d1_Test2/d1", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "d1", + "sourceProcessInfo_pid": 1279, + "sourceProcessInfo_pidStarttime [UTC]": "7/24/2023, 4:50:27 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "AC644457DCBAD901", + "alertInfo_dstIp": "1.1.1.2", + "alertInfo_dstPort": 22, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.2", + "alertInfo_srcPort": 12, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "FB4511F580778F51", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "433C0EF580778F52", + "targetProcessInfo_tgtProcUid": "433C0EF580778F53", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "D83C0EF580778F51", + "sourceProcessInfo_uniqueId": "D73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738442842154200, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:10 AM", + "alertInfo_dvEventId": "01H65SG50RP78BRBAJ4ZGDQGGF_10", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netprofm -p -s netprofm", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2084, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.3", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.3", + "alertInfo_srcPort": 13, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "73ffdfe3-1bbd-6667-6750-684c8ca1c402", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "78d7744d-2837-40d2-aff4-bede5877836e", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "553D0EF580778F51", + "sourceProcessInfo_uniqueId": "543D0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738444335326700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_22", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k utcsvc -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 4604, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:49 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.4", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.4", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "svchost.exe,FrameServer", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "9C8612F580778F51", + "sourceParentProcessInfo_uniqueId": "9B8612F580778F51", + "sourceProcessInfo_storyline": "CD8712F580778F51", + "sourceProcessInfo_uniqueId": "CC8712F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738445736224300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:09 AM", + "alertInfo_dvEventId": "01H65SG2PQ023350V5K0TTCRKP_16", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:16 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:16 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "sihost.exe", + "sourceParentProcessInfo_fileHashMd5": "e5a23407-157b-23f3-c244-1d412163e4ee", + "sourceParentProcessInfo_fileHashSha1": "e8d9750e757e5b580c56521a81ed0cc41d327d82", + "sourceParentProcessInfo_fileHashSha256": "51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\sihost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "sihost.exe", + "sourceParentProcessInfo_pid": 3160, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/21/2023, 4:49:44 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\SearchHost.exe\" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca", + "sourceProcessInfo_fileHashMd5": "0d7ce0d4-741a-a223-0f5a-618a796f4739", + "sourceProcessInfo_fileHashSha1": "f456a426618804abec06fd5883219c4c6eace180", + "sourceProcessInfo_fileHashSha256": "8b5b969143e22d8f27d919948e30aff8594c15c3c69b42bbafa23551e1dc0c68", + "sourceProcessInfo_filePath": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\SearchHost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "low", + "sourceProcessInfo_name": "SearchHost.exe", + "sourceProcessInfo_pid": 1160, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 4:49:46 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.5", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.5", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "B83C0EF580778F51", + "sourceProcessInfo_uniqueId": "B73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738460617615400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_32", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:18 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:18 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 1576, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.6", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.6", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C9B312F580778F51", + "sourceParentProcessInfo_uniqueId": "CFB512F580778F51", + "sourceProcessInfo_storyline": "C9B312F580778F51", + "sourceProcessInfo_uniqueId": "EAB512F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738491395420000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_425", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:22 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe\" --embedded-browser-webview=1 --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --user-data-dir=\"C:\\Users\\Crest\\AppData\\Local\\Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\EBWebView\" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --disable-features=MojoIpcz,msWebOOUI --edge-webview-is-background --enable-features=msSingleSignOnOSForPrimaryAccountIsShared,msEdgeFluentOverlayScrollbar,msWebView2CodeCache,msWebView2EnableDraggableRegions --mojo-named-platform-channel-pipe=9452.304.14872043078598792820 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a", + "sourceParentProcessInfo_fileHashMd5": "0f259745-8e7a-c81b-049d-45ef5b291246", + "sourceParentProcessInfo_fileHashSha1": "bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32", + "sourceParentProcessInfo_fileHashSha256": "0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4", + "sourceParentProcessInfo_filePath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "msedgewebview2.exe", + "sourceParentProcessInfo_pid": 7280, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:56 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir=\"C:\\Users\\Crest\\AppData\\Local\\Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\EBWebView\" --webview-exe-name=msteams.exe --webview-exe-version=23119.303.2080.2726 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --edge-webview-custom-scheme --mojo-platform-channel-handle=2072 --field-trial-handle=1892,i,4999416576109179693,17961817705433260896,262144 --enable-features=msEdgeFluentOverlayScrollbar,msSingleSignOnOSForPrimaryAccountIsShared,msWebView2CodeCache,msWebView2EnableDraggableRegions --disable-features=MojoIpcz,msWebOOUI /prefetch:3 /pfhostedapp:e7e952ed836442a682dca713cb7c4d91d21a087a", + "sourceProcessInfo_fileHashMd5": "0f259745-8e7a-c81b-049d-45ef5b291246", + "sourceProcessInfo_fileHashSha1": "bbd88a2a41c94d4140ccaef71bfb771e0ccc5c32", + "sourceProcessInfo_fileHashSha256": "0ce0ef234aba4bf60f1c48a058ce764d52e91078e95312de4db4b0911f4cc7d4", + "sourceProcessInfo_filePath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.82\\msedgewebview2.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "msedgewebview2.exe", + "sourceProcessInfo_pid": 4144, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:56 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.7", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.7", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "FC3C0EF580778F51", + "sourceProcessInfo_uniqueId": "FB3C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738492846649000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:10 AM", + "alertInfo_dvEventId": "01H65SG50RP78BRBAJ4ZGDQGGF_8", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:22 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:22 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2692, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:48 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.8", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.8", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "4E4B0EF580778F51", + "sourceProcessInfo_uniqueId": "4D4B0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738499473650000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_3", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 8620, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:33:11 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.9", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.9", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "B2B112F580778F51", + "sourceParentProcessInfo_uniqueId": "B1B112F580778F51", + "sourceProcessInfo_storyline": "B5B212F580778F51", + "sourceProcessInfo_uniqueId": "B4B212F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738500874547500, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_432", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "sihost.exe", + "sourceParentProcessInfo_fileHashMd5": "e5a23407-157b-23f3-c244-1d412163e4ee", + "sourceParentProcessInfo_fileHashSha1": "e8d9750e757e5b580c56521a81ed0cc41d327d82", + "sourceParentProcessInfo_fileHashSha256": "51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\sihost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "sihost.exe", + "sourceParentProcessInfo_pid": 13788, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:13 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe\" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca", + "sourceProcessInfo_fileHashMd5": "4bd84472-eca2-b69a-0391-f61fa50d0f31", + "sourceProcessInfo_fileHashSha1": "0ca4bcd60601ec0d8602d4f5994cb0393edb892b", + "sourceProcessInfo_fileHashSha256": "c1fc7f6cb2228ee6386d91f27f1a61ae60a63deefb21d78bb810b7f027f1a489", + "sourceProcessInfo_filePath": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "low", + "sourceProcessInfo_name": "StartMenuExperienceHost.exe", + "sourceProcessInfo_pid": 4524, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:36:15 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.10", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.10", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "09AB12F580778F51", + "sourceProcessInfo_uniqueId": "08AB12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738502325776600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_29", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:23 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:23 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 10972, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:28:16 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.11", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.11", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C43C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "C33C0EF580778F51", + "sourceProcessInfo_storyline": "34B612F580778F51", + "sourceProcessInfo_uniqueId": "33B612F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738511318365000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:11 AM", + "alertInfo_dvEventId": "01H65SG9CAMBQHFPH0TJD6EYXN_434", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:24 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:24 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "sourceParentProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceParentProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceParentProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "svchost.exe", + "sourceParentProcessInfo_pid": 1752, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\wermgr.exe\" -upload", + "sourceProcessInfo_fileHashMd5": "b2eb37f1-bd88-302c-2f15-0217722a8c9f", + "sourceProcessInfo_fileHashSha1": "d8e0c1e1ad99a38f3a84414d5af7b761bf0eb924", + "sourceProcessInfo_fileHashSha256": "a4c41c6c4e1d0fadc9bd3313a3d0e329517f400bd8908dd8c70ac69758e60875", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\wermgr.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "wermgr.exe", + "sourceProcessInfo_pid": 5488, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:37:03 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:00:06 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.12", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.12", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "FEAE12F580778F51", + "sourceProcessInfo_uniqueId": "FDAE12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736738514782860300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 5:49:14 AM", + "alertInfo_dvEventId": "01H65SGAGCE4JDGCGC1GCKNT9S_9", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 5:49:24 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 5:49:24 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 11436, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:34:08 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:40:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.13", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.13", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "D83C0EF580778F51", + "sourceProcessInfo_uniqueId": "D73C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736756505571408600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 6:24:58 AM", + "alertInfo_dvEventId": "01H65VHMRC71Y2GK2M458J2WMW_15", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 6:25:09 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 6:25:09 AM", + "ruleInfo_id": 1736743171400115500, + "ruleInfo_name": "CWL547", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EndpointName = \"CLO007", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Medium", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\svchost.exe -k netprofm -p -s netprofm", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2084, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\NETWORK SERVICE", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:40:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.14", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.14", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "C43C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "C33C0EF580778F51", + "sourceProcessInfo_storyline": "24DB12F580778F51", + "sourceProcessInfo_uniqueId": "23DB12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736757508513437700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 6:27:00 AM", + "alertInfo_dvEventId": "01H65VN9YVSBR9FGDK3RJX7NKK_10", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 6:27:09 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 6:27:09 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "sourceParentProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceParentProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceParentProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "svchost.exe", + "sourceParentProcessInfo_pid": 1752, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "taskhostw.exe", + "sourceProcessInfo_fileHashMd5": "4887a65f-d4f6-598a-f498-6cbc1c0e5488", + "sourceProcessInfo_fileHashSha1": "0882f3f9947405bb80c2e830adf69af85c9b51c7", + "sourceProcessInfo_fileHashSha256": "82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\taskhostw.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "taskhostw.exe", + "sourceProcessInfo_pid": 8648, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 6:26:34 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.15", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.15", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872444737646300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_55", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:30 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:30 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251: /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32168, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:07 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251: /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32169, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:07 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.16", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.16", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872477948149000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_7", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:34 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:34 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4/ /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32151, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:44 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/bucket4/ /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32152, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:44 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.17", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.17", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872503055255600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_15", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:37 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:37 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/bucket4 /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32157, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:59 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/bucket4 /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32158, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:14:59 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 10:30:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.18", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.18", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1736872508449131000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 10:15:22 AM", + "alertInfo_dvEventId": "01H668QFMWS1BRZA6EAHDVWFN0_51", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 10:15:38 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 10:15:38 AM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "mount -t nfs -o vers=3,nolock 10.50.3.251:/ns2/ /root/nfsdir", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f6d5066df72ae947089cb3762679c54f61d7c97f", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/bin/mount", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "mount", + "sourceParentProcessInfo_pid": 32166, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:03 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/sbin/mount.nfs 10.50.3.251:/ns2/ /root/nfsdir", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "2894ddd5adc4c4f89d6171feb966ee8db03e3d48", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/sbin/mount.nfs", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "mount.nfs", + "sourceProcessInfo_pid": 32167, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 10:15:03 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 2:00:04 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.19", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.19", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "FEBB12F580778F51", + "sourceParentProcessInfo_uniqueId": "FDBB12F580778F51", + "sourceProcessInfo_storyline": "E0E912F580778F51", + "sourceProcessInfo_uniqueId": "DFE912F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736978424395258000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 1:45:59 PM", + "alertInfo_dvEventId": "01H66MS4AHVPK6ZSZA1W047SMR_278", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 1:46:04 PM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 1:46:04 PM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\Explorer.EXE", + "sourceParentProcessInfo_fileHashMd5": "357b678c-68d3-d5ee-86e1-b706fbfd994b", + "sourceParentProcessInfo_fileHashSha1": "a4e4e2bc502e4ab249b219da357d1aad163ab175", + "sourceParentProcessInfo_fileHashSha256": "8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b", + "sourceParentProcessInfo_filePath": "C:\\Windows\\explorer.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "explorer.exe", + "sourceParentProcessInfo_pid": 14472, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:42:20 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\smartscreen.exe -Embedding", + "sourceProcessInfo_fileHashMd5": "8b71524d-b619-2b9a-1967-1156e27b1826", + "sourceProcessInfo_fileHashSha1": "4549fabd13aaf136087a4501682eb2559eaafdbb", + "sourceProcessInfo_fileHashSha256": "83c9bd1ff0dd424a841cd1b22993e09e16d1339501070613236b0d1f8bff92bc", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\smartscreen.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "smartscreen.exe", + "sourceProcessInfo_pid": 14528, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 1:45:28 PM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 2:00:04 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "1.1.1.20", + "alertInfo_dstPort": 23, + "alertInfo_netEventDirection": "OUTGOING", + "alertInfo_srcIp": "2.2.2.20", + "alertInfo_srcPort": 14, + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "70BC12F580778F51", + "sourceParentProcessInfo_uniqueId": "19BF12F580778F51", + "sourceProcessInfo_storyline": "70BC12F580778F51", + "sourceProcessInfo_uniqueId": "42CD12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": "FALSE", + "agentRealtimeInfo_isActive": "TRUE", + "agentRealtimeInfo_isDecommissioned": "FALSE", + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736978447346490600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 1:45:59 PM", + "alertInfo_dvEventId": "01H66MS4AHVPK6ZSZA1W047SMR_22", + "alertInfo_eventType": "TCPV4", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": "TRUE", + "alertInfo_reportedAt [UTC]": "7/25/2023, 1:46:07 PM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 1:46:07 PM", + "ruleInfo_id": 1733309646016098600, + "ruleInfo_name": "IP Connect & IP List", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"IP Connect\" OR EventType = \"IP Listen", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix", + "sourceParentProcessInfo_fileHashMd5": "8d5ca829-19d6-6439-685d-dd97dca650c6", + "sourceParentProcessInfo_fileHashSha1": "81c0122bc0adc75ce71912504b8d72825aecad35", + "sourceParentProcessInfo_fileHashSha256": "7dfe00a315c1e6956eb32c9d12fc809998590d15de1820b34b6d9ca7aa109b88", + "sourceParentProcessInfo_filePath": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "OneDriveSetup.exe", + "sourceParentProcessInfo_pid": 5412, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:46:58 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "/updateInstalled /background", + "sourceProcessInfo_fileHashMd5": "174826c7-8c0a-a36d-a145-7e711e4c9e80", + "sourceProcessInfo_fileHashSha1": "56ee9857c7a0643d6f6d5e56c3f4689bb1499829", + "sourceProcessInfo_fileHashSha256": "159e208d7211b71b5dad89771bf1fc047de839bcb8e68475f248a051d2ebaa02", + "sourceProcessInfo_filePath": "C:\\Users\\Crest\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT CORPORATION", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "OneDrive.exe", + "sourceProcessInfo_pid": 2204, + "sourceProcessInfo_pidStarttime [UTC]": "7/25/2023, 5:47:11 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedEventsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + } + ] \ No newline at end of file