Fixed the suggested review1 changes and added RAW log files for senti…

…nel one.
Azure · Aug 24, 2023 · 807c57a · 807c57a
1 parent 8215cbd
commit 807c57a
Show file tree

Hide file tree

Showing 7 changed files with 5,043 additions and 118 deletions.
diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSentinelOne.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSentinelOne.yaml
@@ -1,6 +1,6 @@
 Parser:
   Title: ASIM Authentication parser for SentinelOne
-  Version: '0.1'
+  Version: '0.1.0'
   LastUpdated: Jul 24 2023
 Product:
   Name: SentinelOne
@@ -35,7 +35,7 @@ ParserQuery: |
       activityType_d: real,
       EventType: string,
       EventResult: string,
-      EventOriginalType: string
+      EventOriginalResultDetails: string
   )
   [
       27, "Logon", "Success", "User Logged In",
@@ -65,14 +65,15 @@ ParserQuery: |
       "SYSTEM", "System",
       "UNLOCK", "System"
   ];
-  let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, TargetDeviceType: string)
+  let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string)
   [
       "desktop", "Computer",
       "server", "Computer",
       "laptop", "Computer",
       "kubernetes node", "Other",
       "unknown", "Other"
   ];
+  let TargetUserTypesList = dynamic(["Regular", "Machine", "Admin", "System", "Application", "Service Principal", "Service", "Anonymous"]);
   let parser = (disabled: bool=false) {
       let alldata = SentinelOne_CL
           | where not(disabled);
@@ -83,23 +84,28 @@ ParserQuery: |
           | lookup EventFieldsLookup on activityType_d
           | lookup EventResultDetailsLookup on comments_s
           | extend 
-              DvcIpAddr = iff(ipAddress == "null", "", ipAddress),
+              SrcIpAddr = iff(ipAddress == "null", "", ipAddress),
+              EventOriginalType = tostring(toint(activityType_d)),
               TargetUsername = username,
               TargetUserScope = userScope,
               AdditionalFields = bag_pack(
                       "accountName", accountName,
                       "fullScopeDetails", fullScopeDetails,
                       "fullScopeDetailsPath", fullScopeDetailsPath,
-                      "role", role,
                       "scopeLevel", scopeLevel,
                       "source", source,
                       "sourceType", sourceType
-                  )
+                  ),
+              TargetOriginalUserType = role,
+              TargetUserType = case(
+                                role in (TargetUserTypesList), role,
+                                role == "null", "",
+                                "Other"
+                            )
           | project-rename
               EventStartTime = createdAt_t,
               TargetUserId = userId_s,
               EventOriginalUid = activityUuid_g,
-              EventOriginalResultDetails = comments_s,
               EventMessage = primaryDescription_s;
       let alertdata = alldata
           | where event_name_s == "Alerts."
@@ -108,26 +114,28 @@ ParserQuery: |
           | lookup EventSubTypeLookup on alertInfo_loginType_s
           | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s
           | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')
-          | invoke _ASIM_ResolveDstFQDN('alertInfo_loginAccountDomain_s')
+          | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')
           | extend
               EventResult = iff(alertInfo_loginIsSuccessful_s == "true", "Success", "Failure"),
               EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s)
           | project-rename
               EventStartTime = alertInfo_createdAt_t,
-              DvcIpAddr = alertInfo_srcMachineIp_s,
+              SrcIpAddr = alertInfo_srcMachineIp_s,
               ActingAppName = sourceProcessInfo_name_s,
               DvcId = agentDetectionInfo_uuid_g,
               DvcOs = agentDetectionInfo_osName_s,
-              DvcOsVersion = agentDetectionInfo_version_s,
+              DvcOsVersion = agentDetectionInfo_osRevision_s,
               EventOriginalSeverity = ruleInfo_severity_s,
               EventOriginalType = alertInfo_eventType_s,
+              EventOriginalSubType = alertInfo_loginType_s,
               RuleName = ruleInfo_name_s,
               TargetUserId = alertInfo_loginAccountSid_s,
               TargetUsername = alertInfo_loginsUserName_s
           | extend
               Rule = RuleName,
               ActingAppType = iff(isnotempty(ActingAppName), "Process", ""),
-              DvcIdType = iff(isnotempty(DvcId), "Other", "");
+              DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+              TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId);
       union activitydata, alertdata
       | extend
           EventCount = int(1),
@@ -136,21 +144,19 @@ ParserQuery: |
           EventVendor = "SentinelOne",
           EventSchema = "Authentication"
       | extend
-          Dvc = coalesce(DvcHostname, DvcIpAddr, EventProduct),
-          SrcIpAddr = DvcIpAddr,
+          Dvc = coalesce(DvcHostname, EventProduct),
           EventEndTime = EventStartTime,
-          EventUid = _ResourceId,
+          EventUid = _ItemId,
           User = TargetUsername,
-          TargetHostname = DstHostname,
-          TargetDomain = DstDomain,
-          TargetDomainType = DstDomainType,
-          TargetFQDN = DstFQDN,
+          TargetHostname = SrcHostname,
+          TargetDomain = SrcDomain,
+          TargetDomainType = SrcDomainType,
+          TargetFQDN = SrcFQDN,
           TargetUserIdType = iff(isnotempty(TargetUserId), "Other", ""),
           TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)
       | extend
           IpAddr = SrcIpAddr,
-          Src = SrcIpAddr,
-          Dst = TargetHostname
+          Src = SrcIpAddr
       | project-away
           *_b,
           *_d,
@@ -167,16 +173,13 @@ ParserQuery: |
           source,
           sourceType,
           userScope,
-          DstHostname,
-          DstDomain,
-          DstDomainType,
-          DstFQDN,
           Computer,
           MG,
           ManagementGroupName,
           RawData,
           SourceSystem,
           TenantId,
+          _ItemId,
           _ResourceId
   };
-  parser(disabled=disabled);
+  parser(disabled=disabled)
diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSentinelOne.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSentinelOne.yaml
@@ -1,6 +1,6 @@
 Parser:
   Title: ASIM Authentication parser for SentinelOne
-  Version: '0.1'
+  Version: '0.1.0'
   LastUpdated: Jul 25 2023
 Product:
   Name: SentinelOne
@@ -44,7 +44,7 @@ ParserQuery: |
       activityType_d: real,
       EventType: string,
       EventResult: string,
-      EventOriginalType: string
+      EventOriginalResultDetails: string
   )
   [
       27, "Logon", "Success", "User Logged In",
@@ -74,14 +74,15 @@ ParserQuery: |
       "SYSTEM", "System",
       "UNLOCK", "System"
   ];
-  let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, TargetDeviceType: string)
+  let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string)
   [
       "desktop", "Computer",
       "server", "Computer",
       "laptop", "Computer",
       "kubernetes node", "Other",
       "unknown", "Other"
   ];
+  let TargetUserTypesList = dynamic(["Regular", "Machine", "Admin", "System", "Application", "Service Principal", "Service", "Anonymous"]);
   let parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), targetusername_has: string='*') {
       let alldata = SentinelOne_CL
           | where not(disabled)
@@ -94,23 +95,28 @@ ParserQuery: |
           | lookup EventFieldsLookup on activityType_d
           | lookup EventResultDetailsLookup on comments_s
           | extend 
-              DvcIpAddr = iff(ipAddress == "null", "", ipAddress),
+              SrcIpAddr = iff(ipAddress == "null", "", ipAddress),
+              EventOriginalType = tostring(toint(activityType_d)),
               TargetUsername = username,
               TargetUserScope = userScope,
               AdditionalFields = bag_pack(
                       "accountName", accountName,
                       "fullScopeDetails", fullScopeDetails,
                       "fullScopeDetailsPath", fullScopeDetailsPath,
-                      "role", role,
                       "scopeLevel", scopeLevel,
                       "source", source,
                       "sourceType", sourceType
-                  )
+                  ),
+              TargetOriginalUserType = role,
+              TargetUserType = case(
+                                role in (TargetUserTypesList), role,
+                                role == "null", "",
+                                "Other"
+                            )
           | project-rename
               EventStartTime = createdAt_t,
               TargetUserId = userId_s,
               EventOriginalUid = activityUuid_g,
-              EventOriginalResultDetails = comments_s,
               EventMessage = primaryDescription_s;
       let alertdata = alldata
           | where event_name_s == "Alerts."
@@ -120,26 +126,28 @@ ParserQuery: |
           | lookup EventSubTypeLookup on alertInfo_loginType_s
           | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s
           | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')
-          | invoke _ASIM_ResolveDstFQDN('alertInfo_loginAccountDomain_s')
+          | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')
           | extend
               EventResult = iff(alertInfo_loginIsSuccessful_s == "true", "Success", "Failure"),
               EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s)
           | project-rename
               EventStartTime = alertInfo_createdAt_t,
-              DvcIpAddr = alertInfo_srcMachineIp_s,
+              SrcIpAddr = alertInfo_srcMachineIp_s,
               ActingAppName = sourceProcessInfo_name_s,
               DvcId = agentDetectionInfo_uuid_g,
               DvcOs = agentDetectionInfo_osName_s,
-              DvcOsVersion = agentDetectionInfo_version_s,
+              DvcOsVersion = agentDetectionInfo_osRevision_s,
               EventOriginalSeverity = ruleInfo_severity_s,
               EventOriginalType = alertInfo_eventType_s,
+              EventOriginalSubType = alertInfo_loginType_s,
               RuleName = ruleInfo_name_s,
               TargetUserId = alertInfo_loginAccountSid_s,
               TargetUsername = alertInfo_loginsUserName_s
           | extend
               Rule = RuleName,
               ActingAppType = iff(isnotempty(ActingAppName), "Process", ""),
-              DvcIdType = iff(isnotempty(DvcId), "Other", "");
+              DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+              TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId);
       union activitydata, alertdata
       | extend
           EventCount = int(1),
@@ -148,21 +156,19 @@ ParserQuery: |
           EventVendor = "SentinelOne",
           EventSchema = "Authentication"
       | extend
-          Dvc = coalesce(DvcHostname, DvcIpAddr, EventProduct),
-          SrcIpAddr = DvcIpAddr,
+          Dvc = coalesce(DvcHostname, EventProduct),
           EventEndTime = EventStartTime,
-          EventUid = _ResourceId,
+          EventUid = _ItemId,
           User = TargetUsername,
-          TargetHostname = DstHostname,
-          TargetDomain = DstDomain,
-          TargetDomainType = DstDomainType,
-          TargetFQDN = DstFQDN,
+          TargetHostname = SrcHostname,
+          TargetDomain = SrcDomain,
+          TargetDomainType = SrcDomainType,
+          TargetFQDN = SrcFQDN,
           TargetUserIdType = iff(isnotempty(TargetUserId), "Other", ""),
           TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)
       | extend
           IpAddr = SrcIpAddr,
-          Src = SrcIpAddr,
-          Dst = TargetHostname
+          Src = SrcIpAddr
       | project-away
           *_b,
           *_d,
@@ -179,16 +185,13 @@ ParserQuery: |
           source,
           sourceType,
           userScope,
-          DstHostname,
-          DstDomain,
-          DstDomainType,
-          DstFQDN,
           Computer,
           MG,
           ManagementGroupName,
           RawData,
           SourceSystem,
           TenantId,
+          _ItemId,
           _ResourceId
   };
   parser(disabled=disabled, starttime=starttime, endtime=endtime, targetusername_has=targetusername_has)
diff --git a/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_DataTest.csv
@@ -1,32 +1,36 @@
 Result
-"(0) Error: 1 invalid value(s) (up to 10 listed) in 1260 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)"
-"(0) Error: 1 invalid value(s) (up to 10 listed) in 1260 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [ActingAppName] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [ActingAppType] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [DvcId] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [DvcOsVersion] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [DvcOs] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [EventOriginalSeverity] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [EventSubType] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [RuleName] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [Rule] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in optional field [TargetDeviceType] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in recommended field [DvcHostname] (Schema:Authentication)"
-"(2) Info: Empty value in 1246 records (98.89%)  in recommended field [EventSeverity] (Schema:Authentication)"
-"(2) Info: Empty value in 1254 records (99.52%)  in optional field [TargetHostname] (Schema:Authentication)"
-"(2) Info: Empty value in 1254 records (99.52%)  in recommended field [TargetHostname] (Schema:Authentication)"
-"(2) Info: Empty value in 1258 records (99.84%)  in optional field [DvcFQDN] (Schema:Authentication)"
-"(2) Info: Empty value in 1258 records (99.84%)  in recommended field [DvcDomain] (Schema:Authentication)"
-"(2) Info: Empty value in 1260 records (100.0%)  in optional field [TargetFQDN] (Schema:Authentication)"
-"(2) Info: Empty value in 1260 records (100.0%)  in recommended field [EventUid] (Schema:Authentication)"
-"(2) Info: Empty value in 1260 records (100.0%)  in recommended field [TargetDomain] (Schema:Authentication)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1263 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1263 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [ActingAppName] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [ActingAppType] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [DvcId] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [DvcOsVersion] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [DvcOs] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [EventOriginalSeverity] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [EventOriginalSubType] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [EventSubType] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [RuleName] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [Rule] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in optional field [SrcDeviceType] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in recommended field [DvcHostname] (Schema:Authentication)"
+"(2) Info: Empty value in 1249 records (98.89%)  in recommended field [EventSeverity] (Schema:Authentication)"
+"(2) Info: Empty value in 1257 records (99.52%)  in optional field [SrcHostname] (Schema:Authentication)"
+"(2) Info: Empty value in 1257 records (99.52%)  in optional field [TargetHostname] (Schema:Authentication)"
+"(2) Info: Empty value in 1257 records (99.52%)  in recommended field [TargetHostname] (Schema:Authentication)"
+"(2) Info: Empty value in 1261 records (99.84%)  in optional field [DvcFQDN] (Schema:Authentication)"
+"(2) Info: Empty value in 1261 records (99.84%)  in recommended field [DvcDomain] (Schema:Authentication)"
+"(2) Info: Empty value in 1263 records (100.0%)  in optional field [SrcDomain] (Schema:Authentication)"
+"(2) Info: Empty value in 1263 records (100.0%)  in optional field [SrcFQDN] (Schema:Authentication)"
+"(2) Info: Empty value in 1263 records (100.0%)  in optional field [TargetFQDN] (Schema:Authentication)"
+"(2) Info: Empty value in 1263 records (100.0%)  in recommended field [TargetDomain] (Schema:Authentication)"
 "(2) Info: Empty value in 14 records (1.11%)  in optional field [AdditionalFields] (Schema:Authentication)"
 "(2) Info: Empty value in 14 records (1.11%)  in optional field [EventMessage] (Schema:Authentication)"
+"(2) Info: Empty value in 14 records (1.11%)  in optional field [EventOriginalResultDetails] (Schema:Authentication)"
 "(2) Info: Empty value in 14 records (1.11%)  in optional field [EventOriginalUid] (Schema:Authentication)"
+"(2) Info: Empty value in 14 records (1.11%)  in optional field [TargetOriginalUserType] (Schema:Authentication)"
 "(2) Info: Empty value in 14 records (1.11%)  in optional field [TargetUserScope] (Schema:Authentication)"
-"(2) Info: Empty value in 236 records (18.73%)  in optional field [EventOriginalResultDetails] (Schema:Authentication)"
-"(2) Info: Empty value in 236 records (18.73%)  in recommended field [EventResultDetails] (Schema:Authentication)"
+"(2) Info: Empty value in 239 records (18.92%)  in recommended field [EventResultDetails] (Schema:Authentication)"
 "(2) Info: Empty value in 8 records (0.63%)  in optional field [TargetUserId] (Schema:Authentication)"
-"(2) Info: Empty value in 954 records (75.71%)  in recommended field [DvcIpAddr] (Schema:Authentication)"
-"(2) Info: Empty value in 954 records (75.71%)  in recommended field [SrcIpAddr] (Schema:Authentication)"
-"(2) Info: Empty value in 954 records (75.71%)  in recommended field [Src] (Schema:Authentication)"
+"(2) Info: Empty value in 912 records (72.21%)  in optional field [TargetUserType] (Schema:Authentication)"
+"(2) Info: Empty value in 954 records (75.53%)  in recommended field [SrcIpAddr] (Schema:Authentication)"
+"(2) Info: Empty value in 954 records (75.53%)  in recommended field [Src] (Schema:Authentication)"