From 7d2e52a4911389ab56879e3208ad5eee8e8f88ca Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Sun, 30 Jul 2023 13:02:11 +0530 Subject: [PATCH] ASIM User Management schema parser with its sample and test data for SentinelOne. --- .../CustomTables/SentinelOne_CL.json | 896 ++++++++++++++++++ .../ASimUserManagementSentinelOne.yaml | 134 +++ ...tinelOne_ASimUserManagement_SchemaTest.csv | 41 + ...nelOne_ASimUserManagement_IngestedLogs.csv | 23 + Sample Data/ASIM/SentinelOne_CL_Schema.csv | 313 ++++++ 5 files changed, 1407 insertions(+) create mode 100644 Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml create mode 100644 Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv create mode 100644 Sample Data/ASIM/SentinelOne_ASimUserManagement_IngestedLogs.csv create mode 100644 Sample Data/ASIM/SentinelOne_CL_Schema.csv diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index c88a505bedd..a240d92d89b 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -388,6 +388,902 @@ { "Name": "_ResourceId", "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" } ] } \ No newline at end of file diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml new file mode 100644 index 00000000000..7c73268d6d9 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml @@ -0,0 +1,134 @@ +Parser: + Title: User Management ASIM parser for SentinelOne + Version: '0.1.1' + LastUpdated: Jul 25, 2023 +Product: + Name: SentinelOne +Normalization: + Schema: UserManagement + Version: '0.1.1' +References: +- Title: ASIM UserManagement Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM User Management normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: ASimUserManagementSentinelOne +EquivalentBuiltInParser: _Im_UserManagement_SentinelOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventTypeLookup = datatable ( + activityType_d: real, + EventType: string, + EventOriginalType: string, + EventSubType: string + )[ + 23, "UserCreated", "User Added", "", + 24, "UserModified", "User Modified", "MultipleProperties", + 25, "UserDeleted", "User Deleted", "", + 37, "UserModified", "User modified", "UserModified", + 102, "UserDeleted", "User Deleted", "", + 110, "UserModified", "Enable API Token Generation", "NewPermissions", + 111, "UserModified", "Disable API Token Generation", "PreviousPermissions", + 140, "UserCreated", "Service User creation", "", + 141, "UserModified", "Service User modification", "MultipleProperties", + 142, "UserDeleted", "Service User deletion", "", + 3522, "GroupCreated", "Ranger Deploy - Credential Group Created", "", + 3523, "GroupModified", "Ranger Deploy -Credential Group Edited", "MultipleProperties", + 3524, "GroupDeleted", "Ranger Deploy - Credential Group Deleted", "", + 3710, "PasswordReset", "User Reset Password with Forgot Password from the Login", "", + 3711, "PasswordChanged", "User Changed Their Password", "", + 3715, "PasswordReset", "User Reset Password by Admin Request", "", + 5006, "GroupDeleted", "Group Deleted", "", + 5008, "GroupCreated", "User created a Manual or Pinned Group", "", + 5011, "GroupModified", "Group Policy Reverted", "Newpolicy", + ]; + let parser = (disabled: bool=false) { + SentinelOne_CL + | where event_name_s == "Activities." + and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011) + | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | parse description_s with * "with id=" id: string "," restOfMessage + | lookup EventTypeLookup on activityType_d + | extend + ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)), + GroupName = coalesce(group, groupName, name), + TargetUsername = iff(isnotempty(byUser), username, ""), + PreviousPropertyValue = coalesce(oldDescription, oldRole), + NewPropertyValue = coalesce(description, role) + | extend GroupName = iff(GroupName == "null", "", GroupName) + | project-rename + EventStartTime = createdAt_t, + DvcIpAddr = ipAddress, + EventUid = _ResourceId, + ActorUserId = id, + GroupId = groupId_s, + EventMessage = primaryDescription_s, + EventOriginalUid = activityUuid_g + | extend + EventCount = int(1), + EventResult = "Success", + EventSeverity = "Informational", + EventSchema = "UserManagement", + EventSchemaVersion = "0.1.1", + EventProduct = "SentinelOne", + EventVendor = "SentinelOne", + EventResultDetails = "Other" + | extend + Dvc = coalesce(DvcIpAddr, "SentinelOne"), + EventEndTime = EventStartTime, + User = ActorUsername, + UpdatedPropertyName = EventSubType, + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), + GroupIdType = iff(isnotempty(GroupId), "UID", ""), + GroupNameType = iff(isnotempty(GroupName), "Simple", ""), + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + AdditionalFields = bag_pack( + "userScope", userScope, + "scopeLevelName", scopeLevelName, + "scopeName", scopeName, + "modifiedFields", modifiedFields, + "roleName", roleName, + "deactivationPeriodInDays", deactivationPeriodInDays, + "descriptionChanged", descriptionChanged, + "groupType", groupType + ) + | project-away + *_b, + *_d, + *_g, + *_s, + *_t, + byUser, + username, + email, + group, + groupName, + name, + oldDescription, + oldRole, + description, + role, + userScope, + scopeLevelName, + scopeName, + roleName, + modifiedFields, + deactivationPeriodInDays, + descriptionChanged, + groupType, + restOfMessage, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem + }; + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv new file mode 100644 index 00000000000..1289c201795 --- /dev/null +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv @@ -0,0 +1,41 @@ +Result +"(2) Info: extra unnormalized column [ActorUserId]" +"(2) Info: extra unnormalized column [ActorUsernameType]" +"(2) Info: extra unnormalized column [ActorUsername]" +"(2) Info: extra unnormalized column [AdditionalFields]" +"(2) Info: extra unnormalized column [DvcHostname]" +"(2) Info: extra unnormalized column [DvcIpAddr]" +"(2) Info: extra unnormalized column [DvcOriginalAction]" +"(2) Info: extra unnormalized column [DvcOs]" +"(2) Info: extra unnormalized column [Dvc]" +"(2) Info: extra unnormalized column [EventCount]" +"(2) Info: extra unnormalized column [EventEndTime]" +"(2) Info: extra unnormalized column [EventMessage]" +"(2) Info: extra unnormalized column [EventOriginalType]" +"(2) Info: extra unnormalized column [EventOriginalUid]" +"(2) Info: extra unnormalized column [EventProductVersion]" +"(2) Info: extra unnormalized column [EventProduct]" +"(2) Info: extra unnormalized column [EventResultDetails]" +"(2) Info: extra unnormalized column [EventResult]" +"(2) Info: extra unnormalized column [EventSchemaVersion]" +"(2) Info: extra unnormalized column [EventSchema]" +"(2) Info: extra unnormalized column [EventSeverity]" +"(2) Info: extra unnormalized column [EventStartTime]" +"(2) Info: extra unnormalized column [EventSubType]" +"(2) Info: extra unnormalized column [EventType]" +"(2) Info: extra unnormalized column [EventUid]" +"(2) Info: extra unnormalized column [EventVendor]" +"(2) Info: extra unnormalized column [GroupIdType]" +"(2) Info: extra unnormalized column [GroupId]" +"(2) Info: extra unnormalized column [GroupNameType]" +"(2) Info: extra unnormalized column [GroupName]" +"(2) Info: extra unnormalized column [Hostname]" +"(2) Info: extra unnormalized column [NewPropertyValue]" +"(2) Info: extra unnormalized column [PreviousPropertyValue]" +"(2) Info: extra unnormalized column [SrcDeviceType]" +"(2) Info: extra unnormalized column [TargetUsernameType]" +"(2) Info: extra unnormalized column [TargetUsername]" +"(2) Info: extra unnormalized column [TimeGenerated]" +"(2) Info: extra unnormalized column [Type]" +"(2) Info: extra unnormalized column [UpdatedPropertyName]" +"(2) Info: extra unnormalized column [User]" diff --git a/Sample Data/ASIM/SentinelOne_ASimUserManagement_IngestedLogs.csv b/Sample Data/ASIM/SentinelOne_ASimUserManagement_IngestedLogs.csv new file mode 100644 index 00000000000..550ec3a3d46 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimUserManagement_IngestedLogs.csv @@ -0,0 +1,23 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,alertInfo_indicatorDescription_s,alertInfo_indicatorName_s,targetProcessInfo_tgtFileOldPath_s,alertInfo_indicatorCategory_s,alertInfo_registryOldValue_g,alertInfo_dstIp_s,alertInfo_dstPort_s,alertInfo_netEventDirection_s,alertInfo_srcIp_s,alertInfo_srcPort_s,containerInfo_id_s,targetProcessInfo_tgtFileId_g,alertInfo_registryOldValue_s,alertInfo_registryOldValueType_s,alertInfo_dnsRequest_s,alertInfo_dnsResponse_s,alertInfo_registryKeyPath_s,alertInfo_registryPath_s,alertInfo_registryValue_g,ruleInfo_description_s,alertInfo_registryValue_s,alertInfo_loginAccountDomain_s,alertInfo_loginAccountSid_s,alertInfo_loginIsAdministratorEquivalent_s,alertInfo_loginIsSuccessful_s,alertInfo_loginType_s,alertInfo_loginsUserName_s,alertInfo_srcMachineIp_s,targetProcessInfo_tgtProcCmdLine_s,targetProcessInfo_tgtProcImagePath_s,targetProcessInfo_tgtProcName_s,targetProcessInfo_tgtProcPid_s,targetProcessInfo_tgtProcSignedStatus_s,targetProcessInfo_tgtProcStorylineId_s,targetProcessInfo_tgtProcUid_s,sourceParentProcessInfo_storyline_g,sourceParentProcessInfo_uniqueId_g,sourceProcessInfo_storyline_g,sourceProcessInfo_uniqueId_g,targetProcessInfo_tgtProcStorylineId_g,targetProcessInfo_tgtProcUid_g,agentDetectionInfo_machineType_s,agentDetectionInfo_name_s,agentDetectionInfo_osFamily_s,agentDetectionInfo_osName_s,agentDetectionInfo_osRevision_s,agentDetectionInfo_uuid_g,agentDetectionInfo_version_s,agentRealtimeInfo_id_s,agentRealtimeInfo_infected_b,agentRealtimeInfo_isActive_b,agentRealtimeInfo_isDecommissioned_b,agentRealtimeInfo_machineType_s,agentRealtimeInfo_name_s,agentRealtimeInfo_os_s,agentRealtimeInfo_uuid_g,alertInfo_alertId_s,alertInfo_analystVerdict_s,alertInfo_createdAt_t [UTC],alertInfo_dvEventId_s,alertInfo_eventType_s,alertInfo_hitType_s,alertInfo_incidentStatus_s,alertInfo_isEdr_b,alertInfo_reportedAt_t [UTC],alertInfo_source_s,alertInfo_updatedAt_t [UTC],ruleInfo_id_s,ruleInfo_name_s,ruleInfo_queryLang_s,ruleInfo_queryType_s,ruleInfo_s1ql_s,ruleInfo_scopeLevel_s,ruleInfo_severity_s,ruleInfo_treatAsThreat_s,sourceParentProcessInfo_commandline_s,sourceParentProcessInfo_fileHashMd5_g,sourceParentProcessInfo_fileHashSha1_s,sourceParentProcessInfo_fileHashSha256_s,sourceParentProcessInfo_filePath_s,sourceParentProcessInfo_fileSignerIdentity_s,sourceParentProcessInfo_integrityLevel_s,sourceParentProcessInfo_name_s,sourceParentProcessInfo_pid_s,sourceParentProcessInfo_pidStarttime_t [UTC],sourceParentProcessInfo_storyline_s,sourceParentProcessInfo_subsystem_s,sourceParentProcessInfo_uniqueId_s,sourceParentProcessInfo_user_s,sourceProcessInfo_commandline_s,sourceProcessInfo_fileHashMd5_g,sourceProcessInfo_fileHashSha1_s,sourceProcessInfo_fileHashSha256_s,sourceProcessInfo_filePath_s,sourceProcessInfo_fileSignerIdentity_s,sourceProcessInfo_integrityLevel_s,sourceProcessInfo_name_s,sourceProcessInfo_pid_s,sourceProcessInfo_pidStarttime_t [UTC],sourceProcessInfo_storyline_s,sourceProcessInfo_subsystem_s,sourceProcessInfo_uniqueId_s,sourceProcessInfo_user_s,targetProcessInfo_tgtFileCreatedAt_t [UTC],targetProcessInfo_tgtFileHashSha1_s,targetProcessInfo_tgtFileHashSha256_s,targetProcessInfo_tgtFileId_s,targetProcessInfo_tgtFileIsSigned_s,targetProcessInfo_tgtFileModifiedAt_t [UTC],targetProcessInfo_tgtFilePath_s,targetProcessInfo_tgtProcIntegrityLevel_s,targetProcessInfo_tgtProcessStartTime_t [UTC],agentUpdatedVersion_s,agentId_s,hash_s,osFamily_s,threatId_s,creator_s,creatorId_s,inherits_b,isDefault_b,name_s,registrationToken_s,totalAgents_d,type_s,agentDetectionInfo_accountId_s,agentDetectionInfo_accountName_s,agentDetectionInfo_agentDetectionState_s,agentDetectionInfo_agentDomain_s,agentDetectionInfo_agentIpV4_s,agentDetectionInfo_agentIpV6_s,agentDetectionInfo_agentLastLoggedInUserName_s,agentDetectionInfo_agentMitigationMode_s,agentDetectionInfo_agentOsName_s,agentDetectionInfo_agentOsRevision_s,agentDetectionInfo_agentRegisteredAt_t [UTC],agentDetectionInfo_agentUuid_g,agentDetectionInfo_agentVersion_s,agentDetectionInfo_externalIp_s,agentDetectionInfo_groupId_s,agentDetectionInfo_groupName_s,agentDetectionInfo_siteId_s,agentDetectionInfo_siteName_s,agentRealtimeInfo_accountId_s,agentRealtimeInfo_accountName_s,agentRealtimeInfo_activeThreats_d,agentRealtimeInfo_agentComputerName_s,agentRealtimeInfo_agentDomain_s,agentRealtimeInfo_agentId_s,agentRealtimeInfo_agentInfected_b,agentRealtimeInfo_agentIsActive_b,agentRealtimeInfo_agentIsDecommissioned_b,agentRealtimeInfo_agentMachineType_s,agentRealtimeInfo_agentMitigationMode_s,agentRealtimeInfo_agentNetworkStatus_s,agentRealtimeInfo_agentOsName_s,agentRealtimeInfo_agentOsRevision_s,agentRealtimeInfo_agentOsType_s,agentRealtimeInfo_agentUuid_g,agentRealtimeInfo_agentVersion_s,agentRealtimeInfo_groupId_s,agentRealtimeInfo_groupName_s,agentRealtimeInfo_networkInterfaces_s,agentRealtimeInfo_operationalState_s,agentRealtimeInfo_rebootRequired_b,agentRealtimeInfo_scanFinishedAt_t [UTC],agentRealtimeInfo_scanStartedAt_t [UTC],agentRealtimeInfo_scanStatus_s,agentRealtimeInfo_siteId_s,agentRealtimeInfo_siteName_s,agentRealtimeInfo_userActionsNeeded_s,indicators_s,mitigationStatus_s,threatInfo_analystVerdict_s,threatInfo_analystVerdictDescription_s,threatInfo_automaticallyResolved_b,threatInfo_certificateId_s,threatInfo_classification_s,threatInfo_classificationSource_s,threatInfo_cloudFilesHashVerdict_s,threatInfo_collectionId_s,threatInfo_confidenceLevel_s,threatInfo_createdAt_t [UTC],threatInfo_detectionEngines_s,threatInfo_detectionType_s,threatInfo_engines_s,threatInfo_externalTicketExists_b,threatInfo_failedActions_b,threatInfo_fileExtension_s,threatInfo_fileExtensionType_s,threatInfo_filePath_s,threatInfo_fileSize_d,threatInfo_fileVerificationType_s,threatInfo_identifiedAt_t [UTC],threatInfo_incidentStatus_s,threatInfo_incidentStatusDescription_s,threatInfo_initiatedBy_s,threatInfo_initiatedByDescription_s,threatInfo_isFileless_b,threatInfo_isValidCertificate_b,threatInfo_mitigatedPreemptively_b,threatInfo_mitigationStatus_s,threatInfo_mitigationStatusDescription_s,threatInfo_originatorProcess_s,threatInfo_pendingActions_b,threatInfo_processUser_s,threatInfo_publisherName_s,threatInfo_reachedarthentsLimit_b,threatInfo_rebootRequired_b,threatInfo_sha1_s,threatInfo_storyline_s,threatInfo_threatId_s,threatInfo_threatName_s,threatInfo_updatedAt_t [UTC],whiteningOptions_s,threatInfo_maliciousProcessArguments_s,threatInfo_fileExtension_g,threatInfo_threatName_g,threatInfo_storyline_g,accountId_s,accountName_s,activityType_d,activityUuid_g,createdAt_t [UTC],id_s,primaryDescription_s,secondaryDescription_s,siteId_s,siteName_s,updatedAt_t [UTC],userId_s,event_name_s,DataFields_s,description_s,comments_s,activeDirectory_computerMemberOf_s,activeDirectory_lastUserMemberOf_s,activeThreats_d,agentVersion_s,allowRemoteShell_b,appsVulnerabilityStatus_s,computerName_s,consoleMigrationStatus_s,coreCount_d,cpuCount_d,cpuId_s,detectionState_s,domain_s,encryptedApplications_b,externalId_s,externalIp_s,firewallEnabled_b,firstFullModeTime_t [UTC],fullDiskScanLastUpdatedAt_t [UTC],groupId_s,groupIp_s,groupName_s,inRemoteShellSession_b,infected_b,installerType_s,isActive_b,isDecommissioned_b,isPendingUninstall_b,isUninstalled_b,isUpToDate_b,lastActiveDate_t [UTC],lastIpToMgmt_s,lastLoggedInUserName_s,licenseKey_s,locationEnabled_b,locationType_s,locations_s,machineType_s,mitigationMode_s,mitigationModeSuspicious_s,modelName_s,networkInterfaces_s,networkQuarantineEnabled_b,networkStatus_s,operationalState_s,osArch_s,osName_s,osRevision_s,osStartTime_t [UTC],osType_s,rangerStatus_s,rangerVersion_s,registeredAt_t [UTC],remoteProfilingState_s,scanFinishedAt_t [UTC],scanStartedAt_t [UTC],scanStatus_s,serialNumber_s,showAlertIcon_b,tags_sentinelone_s,threatRebootRequired_b,totalMemory_d,userActionsNeeded_s,uuid_g,osUsername_s,scanAbortedAt_t [UTC],activeDirectory_computerDistinguishedName_s,activeDirectory_lastUserDistinguishedName_s,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:40:04 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,23,fb366a5d-1950-4106-80a9-2715c63030d9,"7/19/2023, 12:25:04 PM",1732588999478741481,The management user Nick Man added user Darth as Viewer.,IP address: 1.1.1.1,,,"7/19/2023, 12:25:04 PM",1732588998690212150,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Darth""}","",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,37,c8e96690-cfc1-4c30-96dc-74c59d18ed96,"7/25/2023, 9:25:03 AM",1736847049504106605,The management user Nick Man added user Dave to role Viewer in scope Crest Data Systems,IP address: 1.1.1.1,,,"7/25/2023, 9:25:03 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Viewer"", ""roleName"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeLevelName"": ""Crest Data Systems"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,37,5d68c5d5-0693-4f28-ae15-5e1a0ea2bb04,"7/25/2023, 9:26:08 AM",1736847596114257723,The management user Nick Man added user Dave to role Admin in scope Crest Data Systems,IP address: 1.1.1.1,,,"7/25/2023, 9:26:08 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""roleName"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeLevelName"": ""Crest Data Systems"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 6:04:55 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,23,5298b51f-599a-4613-9118-87bbd70e6b61,"7/5/2023, 1:12:24 PM",1722465966578341798,The management user NisMan added user jack as Admin.,IP address: 1.1.1.2,1712500242422055104,Default site,"7/5/2023, 1:12:24 PM",1722465965663983441,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""NisMan"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""jack""}","",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,24,6d73dfa5-3947-43d2-b716-29e849dc3153,"7/25/2023, 9:25:03 AM",1736847049755764852,"The management user Nick Man updated the management user Dave. +Modified fields: User scope roles",IP address: 1.1.1.1,,,"7/25/2023, 9:25:03 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""modifiedFields"": ""Modified fields: User scope roles"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",Nick Man,Modified fields: User scope roles,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/25/2023, 9:40:03 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,24,5c5e7e13-fd66-4b2d-a28a-1174af876f70,"7/25/2023, 9:26:08 AM",1736847596407859079,"The management user Nick Man updated the management user Dave. +Modified fields: User scope roles",IP address: 1.1.1.1,,,"7/25/2023, 9:26:08 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""modifiedFields"": ""Modified fields: User scope roles"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Dave""}",Nick Man,Modified fields: User scope roles,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 11:50:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,110,89b49441-4f83-4e54-91b0-29f02a4a996e,"7/20/2023, 11:39:00 AM",1733290588638022118,The management user Nick Man gave permission to the management user Nirvato generate API tokens.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/20/2023, 11:39:00 AM",1722466127522197269,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Nirva""}",Nirva,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 7:00:18 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5006,37b6aca3-6759-4406-9990-9427ff5947ec,"7/21/2023, 6:46:32 AM",1733868167914689364,The management user Nick Man deleted the Manual Group: Test.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/21/2023, 6:46:32 AM",1712986475444464777,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test"", ""groupId"": 1721525955683466807, ""groupName"": ""Test"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nick Man""}",,,,,,,,,,,,,,,,,,,,,,1721525955683466807,,Test,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,25,9b9a0977-8483-4f2c-8bba-f85c50f01559,"6/27/2023, 10:24:22 AM",1716583181635393170,The management user NisMan deleted the user Dave.,IP address: 1.1.1.2,1712500242422055104,Default site,"6/27/2023, 10:24:22 AM",1716583004803512585,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""NisMan"", ""deactivationPeriodInDays"": ""90"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""role"": ""Viewer"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Dave""}",NisMan,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,140,2ad1ba17-d519-4866-b401-67da64e3317a,"7/19/2023, 12:38:17 PM",1732595655286628841,The management user Nick Man added a new Service User Darth with the description Darth to Crest Data Systems with role Admin.,IP address: 1.1.1.1,,,"7/19/2023, 12:38:17 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""roleName"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,140,3f33a1f3-9f08-490b-8f94-760a9135e13f,"7/19/2023, 12:39:28 PM",1732596251003720722,The management user Nick Man added a new Service User Darth with the description Darth to Default site with role C-Level.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/19/2023, 12:39:28 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""roleName"": ""C-Level"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5008,327cc7b4-f116-490d-9a0b-53d572cce162,"6/22/2023, 12:44:45 PM",1713029962565392283,The management user Nick Man created the new Manual Group: Crest Data Systems.,IP address: 1.1.1.1,1712500242422055104,Default site,"6/22/2023, 12:44:45 PM",1712986475444464777,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Crest Data Systems in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Crest Data Systems"", ""groupId"": ""1713029962380842894"", ""groupName"": ""Crest Data Systems"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Crest Data Systems"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nick Man""}",,,,,,,,,,,,,,,,,,,,,,1713029962380842894,,Crest Data Systems,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/6/2023, 12:50:14 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5008,6a5ae272-d4df-4986-a8ec-b1c9c09ef60d,"7/4/2023, 6:04:46 AM",1721525955893182011,The management user Dave created the new Manual Group: Test.,IP address: 1.1.1.2,1712500242422055104,Default site,"7/4/2023, 6:04:46 AM",1716583470262263007,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test"", ""groupId"": ""1721525955683466807"", ""groupName"": ""Test"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Dave""}",,,,,,,,,,,,,,,,,,,,,,1721525955683466807,,Test,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,142,46b211c2-1223-4ff0-9cfc-a3fc7eed4b05,"7/19/2023, 12:39:28 PM",1732596250928223249,The management user Nick Man deleted the Service User Darth from scope Crest Data Systems.,IP address: 1.1.1.1,,,"7/19/2023, 12:39:28 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 10:20:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5006,a180e2f3-fb7e-44fc-adfe-cbc5d250d9ed,"7/20/2023, 10:03:42 AM",1733242623065122727,The management user Nirvadeleted the Manual Group: Test Group Activity.,IP address: 1.1.1.2,1712500242422055104,Default site,"7/20/2023, 10:03:42 AM",1722466127522197269,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test Group Activity in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test Group Activity"", ""groupId"": 1733236199462385361, ""groupName"": ""Test Group Activity"", ""groupType"": ""Manual"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test Group Activity"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nirva""}",,,,,,,,,,,,,,,,,,,,,,1733236199462385361,,Test Group Activity,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,25,eded5a54-86c8-4337-9dff-e3e13a9305f2,"7/19/2023, 12:37:15 PM",1732595136375643864,The management user Nick Man deleted the user Darth.,IP address: 1.1.1.1,,,"7/19/2023, 12:37:15 PM",1732588998690212150,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""deactivationPeriodInDays"": ""90"", ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""userScope"": ""account"", ""username"": ""Darth""}",Nick Man,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 12:50:03 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,141,df06ac01-c280-4a06-b3a3-0563c04b7e58,"7/19/2023, 12:38:55 PM",1732595970044029527,The management user Nick Man changed the role of the Service User Darth on scope Crest Data Systems. Previous role: Admin. New role: SOC.,IP address: 1.1.1.1,,,"7/19/2023, 12:38:55 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""descriptionChanged"": false, ""fullScopeDetails"": ""Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""oldDescription"": ""N/A"", ""oldRole"": ""Admin"", ""realUser"": null, ""role"": ""SOC"", ""scopeLevel"": ""Account"", ""scopeName"": ""Crest Data Systems"", ""siteName"": null, ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/19/2023, 1:00:02 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,141,f4804b82-7729-499d-9157-f1ea3aa7e361,"7/19/2023, 12:41:17 PM",1732597165974508627,The management user Nick Man changed the role of the Service User Darth on scope Default site. Previous role: C-Level. New role: User Test.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/19/2023, 12:41:17 PM",1732595654439379351,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""description"": ""Darth"", ""descriptionChanged"": false, ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""oldDescription"": ""N/A"", ""oldRole"": ""C-Level"", ""realUser"": null, ""role"": ""User Test"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Darth""}",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 11:50:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,111,9cce98f3-b039-4ba0-a8f2-e0105b688546,"7/20/2023, 11:38:42 AM",1733290437886321178,The management user Nick Man blocked the management user Nirvafrom generating API tokens.,IP address: 1.1.1.1,1712500242422055104,Default site,"7/20/2023, 11:38:42 AM",1722466127522197269,Activities.,"{""accountName"": ""Crest Data Systems"", ""byUser"": ""Nick Man"", ""fullScopeDetails"": ""Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site"", ""groupName"": null, ""ipAddress"": ""1.1.1.1"", ""realUser"": null, ""role"": ""Admin"", ""scopeLevel"": ""Site"", ""scopeName"": ""Default site"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""userScope"": ""site"", ""username"": ""Nirva""}",Nirva,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/20/2023, 10:20:04 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1712500237934148927,Crest Data Systems,5011,1b86a2ea-9f84-4e5b-a918-a521b20d8f09,"7/20/2023, 10:07:15 AM",1733244408404449162,The management user Nirvareverted the policy of Group Test Pinned group to its Site policy.,IP address: 1.1.1.2,1712500242422055104,Default site,"7/20/2023, 10:07:14 AM",1722466127522197269,Activities.,"{""accountName"": ""Crest Data Systems"", ""fullScopeDetails"": ""Group Test Pinned group in Site Default site of Account Crest Data Systems"", ""fullScopeDetailsPath"": ""Global / Crest Data Systems / Default site / Test Pinned group"", ""groupId"": ""1733241822456258550"", ""groupName"": ""Test Pinned group"", ""groupType"": ""Pinned"", ""ipAddress"": ""1.1.1.2"", ""realUser"": null, ""scopeLevel"": ""Group"", ""scopeName"": ""Test Pinned group"", ""siteName"": ""Default site"", ""sourceType"": ""UI"", ""username"": ""Nirva""}",,,,,,,,,,,,,,,,,,,,,,1733241822456258550,,Test Pinned group,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SentinelOne_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_CL_Schema.csv b/Sample Data/ASIM/SentinelOne_CL_Schema.csv new file mode 100644 index 00000000000..7432410acb8 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_CL_Schema.csv @@ -0,0 +1,313 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TenantId,0,"System.String",string +SourceSystem,1,"System.String",string +MG,2,"System.String",string +ManagementGroupName,3,"System.String",string +TimeGenerated,4,"System.DateTime",datetime +Computer,5,"System.String",string +RawData,6,"System.String",string +"alertInfo_indicatorDescription_s",7,"System.String",string +"alertInfo_indicatorName_s",8,"System.String",string +"targetProcessInfo_tgtFileOldPath_s",9,"System.String",string +"alertInfo_indicatorCategory_s",10,"System.String",string +"alertInfo_registryOldValue_g",11,"System.String",string +"alertInfo_dstIp_s",12,"System.String",string +"alertInfo_dstPort_s",13,"System.String",string +"alertInfo_netEventDirection_s",14,"System.String",string +"alertInfo_srcIp_s",15,"System.String",string +"alertInfo_srcPort_s",16,"System.String",string +"containerInfo_id_s",17,"System.String",string +"targetProcessInfo_tgtFileId_g",18,"System.String",string +"alertInfo_registryOldValue_s",19,"System.String",string +"alertInfo_registryOldValueType_s",20,"System.String",string +"alertInfo_dnsRequest_s",21,"System.String",string +"alertInfo_dnsResponse_s",22,"System.String",string +"alertInfo_registryKeyPath_s",23,"System.String",string +"alertInfo_registryPath_s",24,"System.String",string +"alertInfo_registryValue_g",25,"System.String",string +"ruleInfo_description_s",26,"System.String",string +"alertInfo_registryValue_s",27,"System.String",string +"alertInfo_loginAccountDomain_s",28,"System.String",string +"alertInfo_loginAccountSid_s",29,"System.String",string +"alertInfo_loginIsAdministratorEquivalent_s",30,"System.String",string +"alertInfo_loginIsSuccessful_s",31,"System.String",string +"alertInfo_loginType_s",32,"System.String",string +"alertInfo_loginsUserName_s",33,"System.String",string +"alertInfo_srcMachineIp_s",34,"System.String",string +"targetProcessInfo_tgtProcCmdLine_s",35,"System.String",string +"targetProcessInfo_tgtProcImagePath_s",36,"System.String",string +"targetProcessInfo_tgtProcName_s",37,"System.String",string +"targetProcessInfo_tgtProcPid_s",38,"System.String",string +"targetProcessInfo_tgtProcSignedStatus_s",39,"System.String",string +"targetProcessInfo_tgtProcStorylineId_s",40,"System.String",string +"targetProcessInfo_tgtProcUid_s",41,"System.String",string +"sourceParentProcessInfo_storyline_g",42,"System.String",string +"sourceParentProcessInfo_uniqueId_g",43,"System.String",string +"sourceProcessInfo_storyline_g",44,"System.String",string +"sourceProcessInfo_uniqueId_g",45,"System.String",string +"targetProcessInfo_tgtProcStorylineId_g",46,"System.String",string +"targetProcessInfo_tgtProcUid_g",47,"System.String",string +"agentDetectionInfo_machineType_s",48,"System.String",string +"agentDetectionInfo_name_s",49,"System.String",string +"agentDetectionInfo_osFamily_s",50,"System.String",string +"agentDetectionInfo_osName_s",51,"System.String",string +"agentDetectionInfo_osRevision_s",52,"System.String",string +"agentDetectionInfo_uuid_g",53,"System.String",string +"agentDetectionInfo_version_s",54,"System.String",string +"agentRealtimeInfo_id_s",55,"System.String",string +"agentRealtimeInfo_infected_b",56,"System.SByte",bool +"agentRealtimeInfo_isActive_b",57,"System.SByte",bool +"agentRealtimeInfo_isDecommissioned_b",58,"System.SByte",bool +"agentRealtimeInfo_machineType_s",59,"System.String",string +"agentRealtimeInfo_name_s",60,"System.String",string +"agentRealtimeInfo_os_s",61,"System.String",string +"agentRealtimeInfo_uuid_g",62,"System.String",string +"alertInfo_alertId_s",63,"System.String",string +"alertInfo_analystVerdict_s",64,"System.String",string +"alertInfo_createdAt_t",65,"System.DateTime",datetime +"alertInfo_dvEventId_s",66,"System.String",string +"alertInfo_eventType_s",67,"System.String",string +"alertInfo_hitType_s",68,"System.String",string +"alertInfo_incidentStatus_s",69,"System.String",string +"alertInfo_isEdr_b",70,"System.SByte",bool +"alertInfo_reportedAt_t",71,"System.DateTime",datetime +"alertInfo_source_s",72,"System.String",string +"alertInfo_updatedAt_t",73,"System.DateTime",datetime +"ruleInfo_id_s",74,"System.String",string +"ruleInfo_name_s",75,"System.String",string +"ruleInfo_queryLang_s",76,"System.String",string +"ruleInfo_queryType_s",77,"System.String",string +"ruleInfo_s1ql_s",78,"System.String",string +"ruleInfo_scopeLevel_s",79,"System.String",string +"ruleInfo_severity_s",80,"System.String",string +"ruleInfo_treatAsThreat_s",81,"System.String",string +"sourceParentProcessInfo_commandline_s",82,"System.String",string +"sourceParentProcessInfo_fileHashMd5_g",83,"System.String",string +"sourceParentProcessInfo_fileHashSha1_s",84,"System.String",string +"sourceParentProcessInfo_fileHashSha256_s",85,"System.String",string +"sourceParentProcessInfo_filePath_s",86,"System.String",string +"sourceParentProcessInfo_fileSignerIdentity_s",87,"System.String",string +"sourceParentProcessInfo_integrityLevel_s",88,"System.String",string +"sourceParentProcessInfo_name_s",89,"System.String",string +"sourceParentProcessInfo_pid_s",90,"System.String",string +"sourceParentProcessInfo_pidStarttime_t",91,"System.DateTime",datetime +"sourceParentProcessInfo_storyline_s",92,"System.String",string +"sourceParentProcessInfo_subsystem_s",93,"System.String",string +"sourceParentProcessInfo_uniqueId_s",94,"System.String",string +"sourceParentProcessInfo_user_s",95,"System.String",string +"sourceProcessInfo_commandline_s",96,"System.String",string +"sourceProcessInfo_fileHashMd5_g",97,"System.String",string +"sourceProcessInfo_fileHashSha1_s",98,"System.String",string +"sourceProcessInfo_fileHashSha256_s",99,"System.String",string +"sourceProcessInfo_filePath_s",100,"System.String",string +"sourceProcessInfo_fileSignerIdentity_s",101,"System.String",string +"sourceProcessInfo_integrityLevel_s",102,"System.String",string +"sourceProcessInfo_name_s",103,"System.String",string +"sourceProcessInfo_pid_s",104,"System.String",string +"sourceProcessInfo_pidStarttime_t",105,"System.DateTime",datetime +"sourceProcessInfo_storyline_s",106,"System.String",string +"sourceProcessInfo_subsystem_s",107,"System.String",string +"sourceProcessInfo_uniqueId_s",108,"System.String",string +"sourceProcessInfo_user_s",109,"System.String",string +"targetProcessInfo_tgtFileCreatedAt_t",110,"System.DateTime",datetime +"targetProcessInfo_tgtFileHashSha1_s",111,"System.String",string +"targetProcessInfo_tgtFileHashSha256_s",112,"System.String",string +"targetProcessInfo_tgtFileId_s",113,"System.String",string +"targetProcessInfo_tgtFileIsSigned_s",114,"System.String",string +"targetProcessInfo_tgtFileModifiedAt_t",115,"System.DateTime",datetime +"targetProcessInfo_tgtFilePath_s",116,"System.String",string +"targetProcessInfo_tgtProcIntegrityLevel_s",117,"System.String",string +"targetProcessInfo_tgtProcessStartTime_t",118,"System.DateTime",datetime +"agentUpdatedVersion_s",119,"System.String",string +"agentId_s",120,"System.String",string +"hash_s",121,"System.String",string +"osFamily_s",122,"System.String",string +"threatId_s",123,"System.String",string +"creator_s",124,"System.String",string +"creatorId_s",125,"System.String",string +"inherits_b",126,"System.SByte",bool +"isDefault_b",127,"System.SByte",bool +"name_s",128,"System.String",string +"registrationToken_s",129,"System.String",string +"totalAgents_d",130,"System.Double",real +"type_s",131,"System.String",string +"agentDetectionInfo_accountId_s",132,"System.String",string +"agentDetectionInfo_accountName_s",133,"System.String",string +"agentDetectionInfo_agentDetectionState_s",134,"System.String",string +"agentDetectionInfo_agentDomain_s",135,"System.String",string +"agentDetectionInfo_agentIpV4_s",136,"System.String",string +"agentDetectionInfo_agentIpV6_s",137,"System.String",string +"agentDetectionInfo_agentLastLoggedInUserName_s",138,"System.String",string +"agentDetectionInfo_agentMitigationMode_s",139,"System.String",string +"agentDetectionInfo_agentOsName_s",140,"System.String",string +"agentDetectionInfo_agentOsRevision_s",141,"System.String",string +"agentDetectionInfo_agentRegisteredAt_t",142,"System.DateTime",datetime +"agentDetectionInfo_agentUuid_g",143,"System.String",string +"agentDetectionInfo_agentVersion_s",144,"System.String",string +"agentDetectionInfo_externalIp_s",145,"System.String",string +"agentDetectionInfo_groupId_s",146,"System.String",string +"agentDetectionInfo_groupName_s",147,"System.String",string +"agentDetectionInfo_siteId_s",148,"System.String",string +"agentDetectionInfo_siteName_s",149,"System.String",string +"agentRealtimeInfo_accountId_s",150,"System.String",string +"agentRealtimeInfo_accountName_s",151,"System.String",string +"agentRealtimeInfo_activeThreats_d",152,"System.Double",real +"agentRealtimeInfo_agentComputerName_s",153,"System.String",string +"agentRealtimeInfo_agentDomain_s",154,"System.String",string +"agentRealtimeInfo_agentId_s",155,"System.String",string +"agentRealtimeInfo_agentInfected_b",156,"System.SByte",bool +"agentRealtimeInfo_agentIsActive_b",157,"System.SByte",bool +"agentRealtimeInfo_agentIsDecommissioned_b",158,"System.SByte",bool +"agentRealtimeInfo_agentMachineType_s",159,"System.String",string +"agentRealtimeInfo_agentMitigationMode_s",160,"System.String",string +"agentRealtimeInfo_agentNetworkStatus_s",161,"System.String",string +"agentRealtimeInfo_agentOsName_s",162,"System.String",string +"agentRealtimeInfo_agentOsRevision_s",163,"System.String",string +"agentRealtimeInfo_agentOsType_s",164,"System.String",string +"agentRealtimeInfo_agentUuid_g",165,"System.String",string +"agentRealtimeInfo_agentVersion_s",166,"System.String",string +"agentRealtimeInfo_groupId_s",167,"System.String",string +"agentRealtimeInfo_groupName_s",168,"System.String",string +"agentRealtimeInfo_networkInterfaces_s",169,"System.String",string +"agentRealtimeInfo_operationalState_s",170,"System.String",string +"agentRealtimeInfo_rebootRequired_b",171,"System.SByte",bool +"agentRealtimeInfo_scanFinishedAt_t",172,"System.DateTime",datetime +"agentRealtimeInfo_scanStartedAt_t",173,"System.DateTime",datetime +"agentRealtimeInfo_scanStatus_s",174,"System.String",string +"agentRealtimeInfo_siteId_s",175,"System.String",string +"agentRealtimeInfo_siteName_s",176,"System.String",string +"agentRealtimeInfo_userActionsNeeded_s",177,"System.String",string +"indicators_s",178,"System.String",string +"mitigationStatus_s",179,"System.String",string +"threatInfo_analystVerdict_s",180,"System.String",string +"threatInfo_analystVerdictDescription_s",181,"System.String",string +"threatInfo_automaticallyResolved_b",182,"System.SByte",bool +"threatInfo_certificateId_s",183,"System.String",string +"threatInfo_classification_s",184,"System.String",string +"threatInfo_classificationSource_s",185,"System.String",string +"threatInfo_cloudFilesHashVerdict_s",186,"System.String",string +"threatInfo_collectionId_s",187,"System.String",string +"threatInfo_confidenceLevel_s",188,"System.String",string +"threatInfo_createdAt_t",189,"System.DateTime",datetime +"threatInfo_detectionEngines_s",190,"System.String",string +"threatInfo_detectionType_s",191,"System.String",string +"threatInfo_engines_s",192,"System.String",string +"threatInfo_externalTicketExists_b",193,"System.SByte",bool +"threatInfo_failedActions_b",194,"System.SByte",bool +"threatInfo_fileExtension_s",195,"System.String",string +"threatInfo_fileExtensionType_s",196,"System.String",string +"threatInfo_filePath_s",197,"System.String",string +"threatInfo_fileSize_d",198,"System.Double",real +"threatInfo_fileVerificationType_s",199,"System.String",string +"threatInfo_identifiedAt_t",200,"System.DateTime",datetime +"threatInfo_incidentStatus_s",201,"System.String",string +"threatInfo_incidentStatusDescription_s",202,"System.String",string +"threatInfo_initiatedBy_s",203,"System.String",string +"threatInfo_initiatedByDescription_s",204,"System.String",string +"threatInfo_isFileless_b",205,"System.SByte",bool +"threatInfo_isValidCertificate_b",206,"System.SByte",bool +"threatInfo_mitigatedPreemptively_b",207,"System.SByte",bool +"threatInfo_mitigationStatus_s",208,"System.String",string +"threatInfo_mitigationStatusDescription_s",209,"System.String",string +"threatInfo_originatorProcess_s",210,"System.String",string +"threatInfo_pendingActions_b",211,"System.SByte",bool +"threatInfo_processUser_s",212,"System.String",string +"threatInfo_publisherName_s",213,"System.String",string +"threatInfo_reachedEventsLimit_b",214,"System.SByte",bool +"threatInfo_rebootRequired_b",215,"System.SByte",bool +"threatInfo_sha1_s",216,"System.String",string +"threatInfo_storyline_s",217,"System.String",string +"threatInfo_threatId_s",218,"System.String",string +"threatInfo_threatName_s",219,"System.String",string +"threatInfo_updatedAt_t",220,"System.DateTime",datetime +"whiteningOptions_s",221,"System.String",string +"threatInfo_maliciousProcessArguments_s",222,"System.String",string +"threatInfo_fileExtension_g",223,"System.String",string +"threatInfo_threatName_g",224,"System.String",string +"threatInfo_storyline_g",225,"System.String",string +"accountId_s",226,"System.String",string +"accountName_s",227,"System.String",string +"activityType_d",228,"System.Double",real +"activityUuid_g",229,"System.String",string +"createdAt_t",230,"System.DateTime",datetime +"id_s",231,"System.String",string +"primaryDescription_s",232,"System.String",string +"secondaryDescription_s",233,"System.String",string +"siteId_s",234,"System.String",string +"siteName_s",235,"System.String",string +"updatedAt_t",236,"System.DateTime",datetime +"userId_s",237,"System.String",string +"event_name_s",238,"System.String",string +"DataFields_s",239,"System.String",string +"description_s",240,"System.String",string +"comments_s",241,"System.String",string +"activeDirectory_computerMemberOf_s",242,"System.String",string +"activeDirectory_lastUserMemberOf_s",243,"System.String",string +"activeThreats_d",244,"System.Double",real +"agentVersion_s",245,"System.String",string +"allowRemoteShell_b",246,"System.SByte",bool +"appsVulnerabilityStatus_s",247,"System.String",string +"computerName_s",248,"System.String",string +"consoleMigrationStatus_s",249,"System.String",string +"coreCount_d",250,"System.Double",real +"cpuCount_d",251,"System.Double",real +"cpuId_s",252,"System.String",string +"detectionState_s",253,"System.String",string +"domain_s",254,"System.String",string +"encryptedApplications_b",255,"System.SByte",bool +"externalId_s",256,"System.String",string +"externalIp_s",257,"System.String",string +"firewallEnabled_b",258,"System.SByte",bool +"firstFullModeTime_t",259,"System.DateTime",datetime +"fullDiskScanLastUpdatedAt_t",260,"System.DateTime",datetime +"groupId_s",261,"System.String",string +"groupIp_s",262,"System.String",string +"groupName_s",263,"System.String",string +"inRemoteShellSession_b",264,"System.SByte",bool +"infected_b",265,"System.SByte",bool +"installerType_s",266,"System.String",string +"isActive_b",267,"System.SByte",bool +"isDecommissioned_b",268,"System.SByte",bool +"isPendingUninstall_b",269,"System.SByte",bool +"isUninstalled_b",270,"System.SByte",bool +"isUpToDate_b",271,"System.SByte",bool +"lastActiveDate_t",272,"System.DateTime",datetime +"lastIpToMgmt_s",273,"System.String",string +"lastLoggedInUserName_s",274,"System.String",string +"licenseKey_s",275,"System.String",string +"locationEnabled_b",276,"System.SByte",bool +"locationType_s",277,"System.String",string +"locations_s",278,"System.String",string +"machineType_s",279,"System.String",string +"mitigationMode_s",280,"System.String",string +"mitigationModeSuspicious_s",281,"System.String",string +"modelName_s",282,"System.String",string +"networkInterfaces_s",283,"System.String",string +"networkQuarantineEnabled_b",284,"System.SByte",bool +"networkStatus_s",285,"System.String",string +"operationalState_s",286,"System.String",string +"osArch_s",287,"System.String",string +"osName_s",288,"System.String",string +"osRevision_s",289,"System.String",string +"osStartTime_t",290,"System.DateTime",datetime +"osType_s",291,"System.String",string +"rangerStatus_s",292,"System.String",string +"rangerVersion_s",293,"System.String",string +"registeredAt_t",294,"System.DateTime",datetime +"remoteProfilingState_s",295,"System.String",string +"scanFinishedAt_t",296,"System.DateTime",datetime +"scanStartedAt_t",297,"System.DateTime",datetime +"scanStatus_s",298,"System.String",string +"serialNumber_s",299,"System.String",string +"showAlertIcon_b",300,"System.SByte",bool +"tags_sentinelone_s",301,"System.String",string +"threatRebootRequired_b",302,"System.SByte",bool +"totalMemory_d",303,"System.Double",real +"userActionsNeeded_s",304,"System.String",string +"uuid_g",305,"System.String",string +"osUsername_s",306,"System.String",string +"scanAbortedAt_t",307,"System.DateTime",datetime +"activeDirectory_computerDistinguishedName_s",308,"System.String",string +"activeDirectory_lastUserDistinguishedName_s",309,"System.String",string +Type,310,"System.String",string +"_ResourceId",311,"System.String",string