diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSentinelOne.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSentinelOne.yaml index c9efe1bfee7..34e40b40a3f 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSentinelOne.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: ASIM Authentication parser for SentinelOne - Version: '0.1' + Version: '0.1.0' LastUpdated: Jul 24 2023 Product: Name: SentinelOne @@ -35,7 +35,7 @@ ParserQuery: | activityType_d: real, EventType: string, EventResult: string, - EventOriginalType: string + EventOriginalResultDetails: string ) [ 27, "Logon", "Success", "User Logged In", @@ -65,7 +65,7 @@ ParserQuery: | "SYSTEM", "System", "UNLOCK", "System" ]; - let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, TargetDeviceType: string) + let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string) [ "desktop", "Computer", "server", "Computer", @@ -73,6 +73,7 @@ ParserQuery: | "kubernetes node", "Other", "unknown", "Other" ]; + let TargetUserTypesList = dynamic(["Regular", "Machine", "Admin", "System", "Application", "Service Principal", "Service", "Anonymous"]); let parser = (disabled: bool=false) { let alldata = SentinelOne_CL | where not(disabled); @@ -83,23 +84,28 @@ ParserQuery: | | lookup EventFieldsLookup on activityType_d | lookup EventResultDetailsLookup on comments_s | extend - DvcIpAddr = iff(ipAddress == "null", "", ipAddress), + SrcIpAddr = iff(ipAddress == "null", "", ipAddress), + EventOriginalType = tostring(toint(activityType_d)), TargetUsername = username, TargetUserScope = userScope, AdditionalFields = bag_pack( "accountName", accountName, "fullScopeDetails", fullScopeDetails, "fullScopeDetailsPath", fullScopeDetailsPath, - "role", role, "scopeLevel", scopeLevel, "source", source, "sourceType", sourceType - ) + ), + TargetOriginalUserType = role, + TargetUserType = case( + role in (TargetUserTypesList), role, + role == "null", "", + "Other" + ) | project-rename EventStartTime = createdAt_t, TargetUserId = userId_s, EventOriginalUid = activityUuid_g, - EventOriginalResultDetails = comments_s, EventMessage = primaryDescription_s; let alertdata = alldata | where event_name_s == "Alerts." @@ -108,26 +114,28 @@ ParserQuery: | | lookup EventSubTypeLookup on alertInfo_loginType_s | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') - | invoke _ASIM_ResolveDstFQDN('alertInfo_loginAccountDomain_s') + | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s') | extend EventResult = iff(alertInfo_loginIsSuccessful_s == "true", "Success", "Failure"), EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s) | project-rename EventStartTime = alertInfo_createdAt_t, - DvcIpAddr = alertInfo_srcMachineIp_s, + SrcIpAddr = alertInfo_srcMachineIp_s, ActingAppName = sourceProcessInfo_name_s, DvcId = agentDetectionInfo_uuid_g, DvcOs = agentDetectionInfo_osName_s, - DvcOsVersion = agentDetectionInfo_version_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, EventOriginalSeverity = ruleInfo_severity_s, EventOriginalType = alertInfo_eventType_s, + EventOriginalSubType = alertInfo_loginType_s, RuleName = ruleInfo_name_s, TargetUserId = alertInfo_loginAccountSid_s, TargetUsername = alertInfo_loginsUserName_s | extend Rule = RuleName, ActingAppType = iff(isnotempty(ActingAppName), "Process", ""), - DvcIdType = iff(isnotempty(DvcId), "Other", ""); + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId); union activitydata, alertdata | extend EventCount = int(1), @@ -136,21 +144,19 @@ ParserQuery: | EventVendor = "SentinelOne", EventSchema = "Authentication" | extend - Dvc = coalesce(DvcHostname, DvcIpAddr, EventProduct), - SrcIpAddr = DvcIpAddr, + Dvc = coalesce(DvcHostname, EventProduct), EventEndTime = EventStartTime, - EventUid = _ResourceId, + EventUid = _ItemId, User = TargetUsername, - TargetHostname = DstHostname, - TargetDomain = DstDomain, - TargetDomainType = DstDomainType, - TargetFQDN = DstFQDN, + TargetHostname = SrcHostname, + TargetDomain = SrcDomain, + TargetDomainType = SrcDomainType, + TargetFQDN = SrcFQDN, TargetUserIdType = iff(isnotempty(TargetUserId), "Other", ""), TargetUsernameType = _ASIM_GetUsernameType(TargetUsername) | extend IpAddr = SrcIpAddr, - Src = SrcIpAddr, - Dst = TargetHostname + Src = SrcIpAddr | project-away *_b, *_d, @@ -167,16 +173,13 @@ ParserQuery: | source, sourceType, userScope, - DstHostname, - DstDomain, - DstDomainType, - DstFQDN, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId, + _ItemId, _ResourceId }; - parser(disabled=disabled); \ No newline at end of file + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSentinelOne.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSentinelOne.yaml index a2990d43307..bb49835ee8b 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSentinelOne.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: ASIM Authentication parser for SentinelOne - Version: '0.1' + Version: '0.1.0' LastUpdated: Jul 25 2023 Product: Name: SentinelOne @@ -44,7 +44,7 @@ ParserQuery: | activityType_d: real, EventType: string, EventResult: string, - EventOriginalType: string + EventOriginalResultDetails: string ) [ 27, "Logon", "Success", "User Logged In", @@ -74,7 +74,7 @@ ParserQuery: | "SYSTEM", "System", "UNLOCK", "System" ]; - let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, TargetDeviceType: string) + let DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string) [ "desktop", "Computer", "server", "Computer", @@ -82,6 +82,7 @@ ParserQuery: | "kubernetes node", "Other", "unknown", "Other" ]; + let TargetUserTypesList = dynamic(["Regular", "Machine", "Admin", "System", "Application", "Service Principal", "Service", "Anonymous"]); let parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), targetusername_has: string='*') { let alldata = SentinelOne_CL | where not(disabled) @@ -94,23 +95,28 @@ ParserQuery: | | lookup EventFieldsLookup on activityType_d | lookup EventResultDetailsLookup on comments_s | extend - DvcIpAddr = iff(ipAddress == "null", "", ipAddress), + SrcIpAddr = iff(ipAddress == "null", "", ipAddress), + EventOriginalType = tostring(toint(activityType_d)), TargetUsername = username, TargetUserScope = userScope, AdditionalFields = bag_pack( "accountName", accountName, "fullScopeDetails", fullScopeDetails, "fullScopeDetailsPath", fullScopeDetailsPath, - "role", role, "scopeLevel", scopeLevel, "source", source, "sourceType", sourceType - ) + ), + TargetOriginalUserType = role, + TargetUserType = case( + role in (TargetUserTypesList), role, + role == "null", "", + "Other" + ) | project-rename EventStartTime = createdAt_t, TargetUserId = userId_s, EventOriginalUid = activityUuid_g, - EventOriginalResultDetails = comments_s, EventMessage = primaryDescription_s; let alertdata = alldata | where event_name_s == "Alerts." @@ -120,26 +126,28 @@ ParserQuery: | | lookup EventSubTypeLookup on alertInfo_loginType_s | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s') - | invoke _ASIM_ResolveDstFQDN('alertInfo_loginAccountDomain_s') + | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s') | extend EventResult = iff(alertInfo_loginIsSuccessful_s == "true", "Success", "Failure"), EventSeverity = iff(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s) | project-rename EventStartTime = alertInfo_createdAt_t, - DvcIpAddr = alertInfo_srcMachineIp_s, + SrcIpAddr = alertInfo_srcMachineIp_s, ActingAppName = sourceProcessInfo_name_s, DvcId = agentDetectionInfo_uuid_g, DvcOs = agentDetectionInfo_osName_s, - DvcOsVersion = agentDetectionInfo_version_s, + DvcOsVersion = agentDetectionInfo_osRevision_s, EventOriginalSeverity = ruleInfo_severity_s, EventOriginalType = alertInfo_eventType_s, + EventOriginalSubType = alertInfo_loginType_s, RuleName = ruleInfo_name_s, TargetUserId = alertInfo_loginAccountSid_s, TargetUsername = alertInfo_loginsUserName_s | extend Rule = RuleName, ActingAppType = iff(isnotempty(ActingAppName), "Process", ""), - DvcIdType = iff(isnotempty(DvcId), "Other", ""); + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId); union activitydata, alertdata | extend EventCount = int(1), @@ -148,21 +156,19 @@ ParserQuery: | EventVendor = "SentinelOne", EventSchema = "Authentication" | extend - Dvc = coalesce(DvcHostname, DvcIpAddr, EventProduct), - SrcIpAddr = DvcIpAddr, + Dvc = coalesce(DvcHostname, EventProduct), EventEndTime = EventStartTime, - EventUid = _ResourceId, + EventUid = _ItemId, User = TargetUsername, - TargetHostname = DstHostname, - TargetDomain = DstDomain, - TargetDomainType = DstDomainType, - TargetFQDN = DstFQDN, + TargetHostname = SrcHostname, + TargetDomain = SrcDomain, + TargetDomainType = SrcDomainType, + TargetFQDN = SrcFQDN, TargetUserIdType = iff(isnotempty(TargetUserId), "Other", ""), TargetUsernameType = _ASIM_GetUsernameType(TargetUsername) | extend IpAddr = SrcIpAddr, - Src = SrcIpAddr, - Dst = TargetHostname + Src = SrcIpAddr | project-away *_b, *_d, @@ -179,16 +185,13 @@ ParserQuery: | source, sourceType, userScope, - DstHostname, - DstDomain, - DstDomainType, - DstFQDN, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId, + _ItemId, _ResourceId }; parser(disabled=disabled, starttime=starttime, endtime=endtime, targetusername_has=targetusername_has) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_DataTest.csv index 72eb8c6c455..33d76df70ba 100644 --- a/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_DataTest.csv +++ b/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_DataTest.csv @@ -1,32 +1,36 @@ Result -"(0) Error: 1 invalid value(s) (up to 10 listed) in 1260 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 1260 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [ActingAppName] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [ActingAppType] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [DvcId] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [DvcOsVersion] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [DvcOs] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [EventOriginalSeverity] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [EventSubType] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [RuleName] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [Rule] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [TargetDeviceType] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in recommended field [DvcHostname] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in recommended field [EventSeverity] (Schema:Authentication)" -"(2) Info: Empty value in 1254 records (99.52%) in optional field [TargetHostname] (Schema:Authentication)" -"(2) Info: Empty value in 1254 records (99.52%) in recommended field [TargetHostname] (Schema:Authentication)" -"(2) Info: Empty value in 1258 records (99.84%) in optional field [DvcFQDN] (Schema:Authentication)" -"(2) Info: Empty value in 1258 records (99.84%) in recommended field [DvcDomain] (Schema:Authentication)" -"(2) Info: Empty value in 1260 records (100.0%) in optional field [TargetFQDN] (Schema:Authentication)" -"(2) Info: Empty value in 1260 records (100.0%) in recommended field [EventUid] (Schema:Authentication)" -"(2) Info: Empty value in 1260 records (100.0%) in recommended field [TargetDomain] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1263 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1263 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [ActingAppName] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [ActingAppType] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [DvcId] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [DvcOsVersion] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [DvcOs] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [EventOriginalSeverity] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [EventOriginalSubType] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [EventSubType] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [RuleName] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [Rule] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [SrcDeviceType] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in recommended field [DvcHostname] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in recommended field [EventSeverity] (Schema:Authentication)" +"(2) Info: Empty value in 1257 records (99.52%) in optional field [SrcHostname] (Schema:Authentication)" +"(2) Info: Empty value in 1257 records (99.52%) in optional field [TargetHostname] (Schema:Authentication)" +"(2) Info: Empty value in 1257 records (99.52%) in recommended field [TargetHostname] (Schema:Authentication)" +"(2) Info: Empty value in 1261 records (99.84%) in optional field [DvcFQDN] (Schema:Authentication)" +"(2) Info: Empty value in 1261 records (99.84%) in recommended field [DvcDomain] (Schema:Authentication)" +"(2) Info: Empty value in 1263 records (100.0%) in optional field [SrcDomain] (Schema:Authentication)" +"(2) Info: Empty value in 1263 records (100.0%) in optional field [SrcFQDN] (Schema:Authentication)" +"(2) Info: Empty value in 1263 records (100.0%) in optional field [TargetFQDN] (Schema:Authentication)" +"(2) Info: Empty value in 1263 records (100.0%) in recommended field [TargetDomain] (Schema:Authentication)" "(2) Info: Empty value in 14 records (1.11%) in optional field [AdditionalFields] (Schema:Authentication)" "(2) Info: Empty value in 14 records (1.11%) in optional field [EventMessage] (Schema:Authentication)" +"(2) Info: Empty value in 14 records (1.11%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" "(2) Info: Empty value in 14 records (1.11%) in optional field [EventOriginalUid] (Schema:Authentication)" +"(2) Info: Empty value in 14 records (1.11%) in optional field [TargetOriginalUserType] (Schema:Authentication)" "(2) Info: Empty value in 14 records (1.11%) in optional field [TargetUserScope] (Schema:Authentication)" -"(2) Info: Empty value in 236 records (18.73%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" -"(2) Info: Empty value in 236 records (18.73%) in recommended field [EventResultDetails] (Schema:Authentication)" +"(2) Info: Empty value in 239 records (18.92%) in recommended field [EventResultDetails] (Schema:Authentication)" "(2) Info: Empty value in 8 records (0.63%) in optional field [TargetUserId] (Schema:Authentication)" -"(2) Info: Empty value in 954 records (75.71%) in recommended field [DvcIpAddr] (Schema:Authentication)" -"(2) Info: Empty value in 954 records (75.71%) in recommended field [SrcIpAddr] (Schema:Authentication)" -"(2) Info: Empty value in 954 records (75.71%) in recommended field [Src] (Schema:Authentication)" +"(2) Info: Empty value in 912 records (72.21%) in optional field [TargetUserType] (Schema:Authentication)" +"(2) Info: Empty value in 954 records (75.53%) in recommended field [SrcIpAddr] (Schema:Authentication)" +"(2) Info: Empty value in 954 records (75.53%) in recommended field [Src] (Schema:Authentication)" diff --git a/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_SchemaTest.csv b/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_SchemaTest.csv index 10f18edef22..f87eccb139f 100644 --- a/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_SchemaTest.csv +++ b/Parsers/ASimAuthentication/Tests/SentinelOne_ASimAuthentication_SchemaTest.csv @@ -1,5 +1,7 @@ Result +"(1) Warning: Missing recommended field [Dst]" "(1) Warning: Missing recommended field [DvcAction]" +"(1) Warning: Missing recommended field [DvcIpAddr]" "(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" "(2) Info: Missing optional field [ActingAppId]" "(2) Info: Missing optional field [ActorOriginalUserType]" @@ -16,7 +18,6 @@ "(2) Info: Missing optional field [DvcScopeId]" "(2) Info: Missing optional field [DvcScope]" "(2) Info: Missing optional field [DvcZone]" -"(2) Info: Missing optional field [EventOriginalSubType]" "(2) Info: Missing optional field [EventOwner]" "(2) Info: Missing optional field [EventProductVersion]" "(2) Info: Missing optional field [EventReportUrl]" @@ -26,27 +27,23 @@ "(2) Info: Missing optional field [LogonTarget]" "(2) Info: Missing optional field [RuleNumber]" "(2) Info: Missing optional field [SrcDescription]" -"(2) Info: Missing optional field [SrcDeviceType]" -"(2) Info: Missing optional field [SrcDomain]" "(2) Info: Missing optional field [SrcDvcId]" "(2) Info: Missing optional field [SrcDvcOs]" "(2) Info: Missing optional field [SrcDvcScopeId]" "(2) Info: Missing optional field [SrcDvcScope]" -"(2) Info: Missing optional field [SrcFQDN]" "(2) Info: Missing optional field [SrcGeoCity]" "(2) Info: Missing optional field [SrcGeoCountry]" "(2) Info: Missing optional field [SrcGeoLatitude]" "(2) Info: Missing optional field [SrcGeoLongitude]" "(2) Info: Missing optional field [SrcGeoRegion]" -"(2) Info: Missing optional field [SrcHostname]" "(2) Info: Missing optional field [SrcIsp]" "(2) Info: Missing optional field [SrcOriginalRiskLevel]" "(2) Info: Missing optional field [SrcPortNumber]" "(2) Info: Missing optional field [SrcRiskLevel]" "(2) Info: Missing optional field [TargetAppId]" "(2) Info: Missing optional field [TargetAppName]" -"(2) Info: Missing optional field [TargetAppType]" "(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" "(2) Info: Missing optional field [TargetDvcId]" "(2) Info: Missing optional field [TargetDvcOs]" "(2) Info: Missing optional field [TargetDvcScopeId]" @@ -58,7 +55,6 @@ "(2) Info: Missing optional field [TargetGeoRegion]" "(2) Info: Missing optional field [TargetIpAddr]" "(2) Info: Missing optional field [TargetOriginalRiskLevel]" -"(2) Info: Missing optional field [TargetOriginalUserType]" "(2) Info: Missing optional field [TargetPortNumber]" "(2) Info: Missing optional field [TargetRiskLevel]" "(2) Info: Missing optional field [TargetSessionId]" @@ -66,7 +62,6 @@ "(2) Info: Missing optional field [TargetSessionId]" "(2) Info: Missing optional field [TargetUrl]" "(2) Info: Missing optional field [TargetUserScopeId]" -"(2) Info: Missing optional field [TargetUserType]" "(2) Info: Missing optional field [ThreatCategory]" "(2) Info: Missing optional field [ThreatConfidence]" "(2) Info: Missing optional field [ThreatField]" diff --git a/Parsers/ASimAuthentication/Tests/SentinelOne_vimAuthentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/SentinelOne_vimAuthentication_DataTest.csv index 47e7d3e2644..33d76df70ba 100644 --- a/Parsers/ASimAuthentication/Tests/SentinelOne_vimAuthentication_DataTest.csv +++ b/Parsers/ASimAuthentication/Tests/SentinelOne_vimAuthentication_DataTest.csv @@ -1,33 +1,36 @@ Result -"(0) Error: 1 invalid value(s) (up to 10 listed) in 1260 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 1260 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [ActingAppName] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [ActingAppType] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [DvcId] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [DvcOsVersion] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [DvcOs] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [EventOriginalSeverity] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [EventSubType] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [RuleName] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [Rule] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in optional field [TargetDeviceType] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in recommended field [DvcHostname] (Schema:Authentication)" -"(2) Info: Empty value in 1246 records (98.89%) in recommended field [EventSeverity] (Schema:Authentication)" -"(2) Info: Empty value in 1254 records (99.52%) in optional field [TargetHostname] (Schema:Authentication)" -"(2) Info: Empty value in 1254 records (99.52%) in recommended field [Dst] (Schema:Authentication)" -"(2) Info: Empty value in 1254 records (99.52%) in recommended field [TargetHostname] (Schema:Authentication)" -"(2) Info: Empty value in 1258 records (99.84%) in optional field [DvcFQDN] (Schema:Authentication)" -"(2) Info: Empty value in 1258 records (99.84%) in recommended field [DvcDomain] (Schema:Authentication)" -"(2) Info: Empty value in 1260 records (100.0%) in optional field [TargetFQDN] (Schema:Authentication)" -"(2) Info: Empty value in 1260 records (100.0%) in recommended field [EventUid] (Schema:Authentication)" -"(2) Info: Empty value in 1260 records (100.0%) in recommended field [TargetDomain] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1263 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1263 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [ActingAppName] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [ActingAppType] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [DvcId] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [DvcOsVersion] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [DvcOs] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [EventOriginalSeverity] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [EventOriginalSubType] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [EventSubType] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [RuleName] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [Rule] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in optional field [SrcDeviceType] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in recommended field [DvcHostname] (Schema:Authentication)" +"(2) Info: Empty value in 1249 records (98.89%) in recommended field [EventSeverity] (Schema:Authentication)" +"(2) Info: Empty value in 1257 records (99.52%) in optional field [SrcHostname] (Schema:Authentication)" +"(2) Info: Empty value in 1257 records (99.52%) in optional field [TargetHostname] (Schema:Authentication)" +"(2) Info: Empty value in 1257 records (99.52%) in recommended field [TargetHostname] (Schema:Authentication)" +"(2) Info: Empty value in 1261 records (99.84%) in optional field [DvcFQDN] (Schema:Authentication)" +"(2) Info: Empty value in 1261 records (99.84%) in recommended field [DvcDomain] (Schema:Authentication)" +"(2) Info: Empty value in 1263 records (100.0%) in optional field [SrcDomain] (Schema:Authentication)" +"(2) Info: Empty value in 1263 records (100.0%) in optional field [SrcFQDN] (Schema:Authentication)" +"(2) Info: Empty value in 1263 records (100.0%) in optional field [TargetFQDN] (Schema:Authentication)" +"(2) Info: Empty value in 1263 records (100.0%) in recommended field [TargetDomain] (Schema:Authentication)" "(2) Info: Empty value in 14 records (1.11%) in optional field [AdditionalFields] (Schema:Authentication)" "(2) Info: Empty value in 14 records (1.11%) in optional field [EventMessage] (Schema:Authentication)" +"(2) Info: Empty value in 14 records (1.11%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" "(2) Info: Empty value in 14 records (1.11%) in optional field [EventOriginalUid] (Schema:Authentication)" +"(2) Info: Empty value in 14 records (1.11%) in optional field [TargetOriginalUserType] (Schema:Authentication)" "(2) Info: Empty value in 14 records (1.11%) in optional field [TargetUserScope] (Schema:Authentication)" -"(2) Info: Empty value in 236 records (18.73%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" -"(2) Info: Empty value in 236 records (18.73%) in recommended field [EventResultDetails] (Schema:Authentication)" +"(2) Info: Empty value in 239 records (18.92%) in recommended field [EventResultDetails] (Schema:Authentication)" "(2) Info: Empty value in 8 records (0.63%) in optional field [TargetUserId] (Schema:Authentication)" -"(2) Info: Empty value in 954 records (75.71%) in recommended field [DvcIpAddr] (Schema:Authentication)" -"(2) Info: Empty value in 954 records (75.71%) in recommended field [SrcIpAddr] (Schema:Authentication)" -"(2) Info: Empty value in 954 records (75.71%) in recommended field [Src] (Schema:Authentication)" +"(2) Info: Empty value in 912 records (72.21%) in optional field [TargetUserType] (Schema:Authentication)" +"(2) Info: Empty value in 954 records (75.53%) in recommended field [SrcIpAddr] (Schema:Authentication)" +"(2) Info: Empty value in 954 records (75.53%) in recommended field [Src] (Schema:Authentication)" diff --git a/Parsers/ASimAuthentication/Tests/SentinelOne_vimAuthentication_SchemaTest.csv b/Parsers/ASimAuthentication/Tests/SentinelOne_vimAuthentication_SchemaTest.csv index 10f18edef22..f87eccb139f 100644 --- a/Parsers/ASimAuthentication/Tests/SentinelOne_vimAuthentication_SchemaTest.csv +++ b/Parsers/ASimAuthentication/Tests/SentinelOne_vimAuthentication_SchemaTest.csv @@ -1,5 +1,7 @@ Result +"(1) Warning: Missing recommended field [Dst]" "(1) Warning: Missing recommended field [DvcAction]" +"(1) Warning: Missing recommended field [DvcIpAddr]" "(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" "(2) Info: Missing optional field [ActingAppId]" "(2) Info: Missing optional field [ActorOriginalUserType]" @@ -16,7 +18,6 @@ "(2) Info: Missing optional field [DvcScopeId]" "(2) Info: Missing optional field [DvcScope]" "(2) Info: Missing optional field [DvcZone]" -"(2) Info: Missing optional field [EventOriginalSubType]" "(2) Info: Missing optional field [EventOwner]" "(2) Info: Missing optional field [EventProductVersion]" "(2) Info: Missing optional field [EventReportUrl]" @@ -26,27 +27,23 @@ "(2) Info: Missing optional field [LogonTarget]" "(2) Info: Missing optional field [RuleNumber]" "(2) Info: Missing optional field [SrcDescription]" -"(2) Info: Missing optional field [SrcDeviceType]" -"(2) Info: Missing optional field [SrcDomain]" "(2) Info: Missing optional field [SrcDvcId]" "(2) Info: Missing optional field [SrcDvcOs]" "(2) Info: Missing optional field [SrcDvcScopeId]" "(2) Info: Missing optional field [SrcDvcScope]" -"(2) Info: Missing optional field [SrcFQDN]" "(2) Info: Missing optional field [SrcGeoCity]" "(2) Info: Missing optional field [SrcGeoCountry]" "(2) Info: Missing optional field [SrcGeoLatitude]" "(2) Info: Missing optional field [SrcGeoLongitude]" "(2) Info: Missing optional field [SrcGeoRegion]" -"(2) Info: Missing optional field [SrcHostname]" "(2) Info: Missing optional field [SrcIsp]" "(2) Info: Missing optional field [SrcOriginalRiskLevel]" "(2) Info: Missing optional field [SrcPortNumber]" "(2) Info: Missing optional field [SrcRiskLevel]" "(2) Info: Missing optional field [TargetAppId]" "(2) Info: Missing optional field [TargetAppName]" -"(2) Info: Missing optional field [TargetAppType]" "(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" "(2) Info: Missing optional field [TargetDvcId]" "(2) Info: Missing optional field [TargetDvcOs]" "(2) Info: Missing optional field [TargetDvcScopeId]" @@ -58,7 +55,6 @@ "(2) Info: Missing optional field [TargetGeoRegion]" "(2) Info: Missing optional field [TargetIpAddr]" "(2) Info: Missing optional field [TargetOriginalRiskLevel]" -"(2) Info: Missing optional field [TargetOriginalUserType]" "(2) Info: Missing optional field [TargetPortNumber]" "(2) Info: Missing optional field [TargetRiskLevel]" "(2) Info: Missing optional field [TargetSessionId]" @@ -66,7 +62,6 @@ "(2) Info: Missing optional field [TargetSessionId]" "(2) Info: Missing optional field [TargetUrl]" "(2) Info: Missing optional field [TargetUserScopeId]" -"(2) Info: Missing optional field [TargetUserType]" "(2) Info: Missing optional field [ThreatCategory]" "(2) Info: Missing optional field [ThreatConfidence]" "(2) Info: Missing optional field [ThreatField]" diff --git a/Sample Data/ASIM/SentinelOne_ASimAuthentication_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimAuthentication_RawLogs.json new file mode 100644 index 00000000000..e86f48a614e --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimAuthentication_RawLogs.json @@ -0,0 +1,4922 @@ +[ + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 5:30:03.212 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "0f81ec00-9e52-48e6-b899-eb3bbeede741", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "73ffdfe3-1bbd-6667-6750-684c8ca1c402", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "78d7744d-2837-40d2-aff4-bede5877836e", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": false, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "REMOTE_INTERACTIVE", + "alertInfo_loginsUserName": "serviceuser", + "alertInfo_srcMachineIp": "1.1.1.1", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "73ffd9f9-7430-51bf-89fd-275f31272868", + "targetProcessInfo_tgtProcUid": "73ffdf8e-0a44-5079-fd74-243fc15cbe7e", + "sourceParentProcessInfo_storyline": "73ffdf8e-0a44-5079-fd74-243fc15cbe7c", + "sourceParentProcessInfo_uniqueId": "73ffdf8e-0a44-5079-fd74-243fc15cbe7d", + "sourceProcessInfo_storyline": "73ffdf8e-0a33-5079-fd74-243fc15cbe7c", + "sourceProcessInfo_uniqueId": "73ffdf8e-0a22-5079-fd74-243fc15cbe7c", + "agentDetectionInfo_machineType": "kubernetes node", + "agentDetectionInfo_name": "k8s-master", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.88.1.el7.x86_64", + "agentDetectionInfo_uuid": "73798876-6a5c-5ffe-07fb-6a90ea86b0c3", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1733235558748789000, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "kubernetes node", + "agentRealtimeInfo_name": "k8s-master", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "73798876-6a5c-5ffe-07fb-6a90ea86b0c3", + "alertInfo_alertId": 1733822712556310300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/21/2023, 5:16:07.367 AM", + "alertInfo_dvEventId": "01H5VE0N9Z4AJFRJC81GKFVJ4J_299", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/21/2023, 5:16:13.769 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/21/2023, 5:16:13.769 AM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/sshd -D", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/sshd", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "sshd", + "sourceParentProcessInfo_pid": 963, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 9:40:51.770 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sshd -D -R", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "f2e3a8c77dc72a358e5c3d0e4cabf278bf7dc211", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/host/usr/sbin/sshd", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sshd", + "sourceProcessInfo_pid": 65848, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 5:15:39.120 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 5:30:03.212 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "AC644457DCBAD901", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "FB4511F580778F51", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "svchost.exe,FrameServer", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": false, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "REMOTE_INTERACTIVE", + "alertInfo_loginsUserName": "serviceuser", + "alertInfo_srcMachineIp": "1.1.1.2", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "FFDE12F580778F51", + "targetProcessInfo_tgtProcUid": "FFC79AC6A067F7A0", + "sourceParentProcessInfo_storyline": "FFC79AC6A067F6B0", + "sourceParentProcessInfo_uniqueId": "FFC79AC6A067F5D0", + "sourceProcessInfo_storyline": "FFC79AC6A067F7C0", + "sourceProcessInfo_uniqueId": "FFC79AC6A067F7D0", + "agentDetectionInfo_machineType": "kubernetes node", + "agentDetectionInfo_name": "k8s-master", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.88.1.el7.x86_64", + "agentDetectionInfo_uuid": "73798876-6a5c-5ffe-07fb-6a90ea86b0c3", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1733235558748789000, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "kubernetes node", + "agentRealtimeInfo_name": "k8s-master", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "73798876-6a5c-5ffe-07fb-6a90ea86b0c3", + "alertInfo_alertId": 1733823245350397700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/21/2023, 5:17:08.002 AM", + "alertInfo_dvEventId": "01H5VE2FWZ8GQTM4HXTJY3X9VJ_384", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/21/2023, 5:17:17.283 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/21/2023, 5:17:17.283 AM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/sshd -D", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/sshd", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "sshd", + "sourceParentProcessInfo_pid": 963, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 9:40:51.770 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sshd -D -R", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "f2e3a8c77dc72a358e5c3d0e4cabf278bf7dc211", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/host/usr/sbin/sshd", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sshd", + "sourceProcessInfo_pid": 66340, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 5:16:50.550 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 6:50:03.449 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": false, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "REMOTE_INTERACTIVE", + "alertInfo_loginsUserName": "serviceuser", + "alertInfo_srcMachineIp": "1.1.1.3", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "kubernetes node", + "agentDetectionInfo_name": "k8s-master", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.88.1.el7.x86_64", + "agentDetectionInfo_uuid": "73798876-6a5c-5ffe-07fb-6a90ea86b0c3", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1733235558748789000, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "kubernetes node", + "agentRealtimeInfo_name": "k8s-master", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "73798876-6a5c-5ffe-07fb-6a90ea86b0c3", + "alertInfo_alertId": 1733863992178899700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/21/2023, 6:38:07.655 AM", + "alertInfo_dvEventId": "01H5VJPSZY105Q9R3KAQDJKB8S_199", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/21/2023, 6:38:14.683 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/21/2023, 6:38:14.683 AM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/sshd -D", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/sshd", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "sshd", + "sourceParentProcessInfo_pid": 963, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 9:40:51.770 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sshd -D -R", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "f2e3a8c77dc72a358e5c3d0e4cabf278bf7dc211", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/host/usr/sbin/sshd", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sshd", + "sourceProcessInfo_pid": 97697, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 6:37:19.030 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 12:40:03.218 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": false, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "REMOTE_INTERACTIVE", + "alertInfo_loginsUserName": "serviceuser", + "alertInfo_srcMachineIp": "1.1.1.4", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "cent7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1734039916062504700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/21/2023, 12:27:36.257 PM", + "alertInfo_dvEventId": "01H5W6PQAZMW74MP03PFC77JDY_6", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/21/2023, 12:27:46.445 PM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/21/2023, 12:27:46.445 PM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/sshd -D", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f2e3a8c77dc72a358e5c3d0e4cabf278bf7dc211", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/sshd", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "sshd", + "sourceParentProcessInfo_pid": 1114, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/21/2023, 6:39:49.340 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "/usr/sbin/sshd -D -R", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "f2e3a8c77dc72a358e5c3d0e4cabf278bf7dc211", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sshd", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sshd", + "sourceProcessInfo_pid": 9478, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 12:26:09.620 PM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 8:40:04.319 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "WORKGROUP", + "alertInfo_loginAccountSid": "S-1-5-18", + "alertInfo_loginIsAdministratorEquivalent": false, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "INTERACTIVE", + "alertInfo_loginsUserName": "Crest", + "alertInfo_srcMachineIp": "1.1.1.5", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "D23C0EF580778F51", + "sourceProcessInfo_uniqueId": "D13C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1733918222338408700, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/21/2023, 8:25:44.089 AM", + "alertInfo_dvEventId": "01H5VRVY136CS3Z938DG03AHH6_125", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/21/2023, 8:25:59.424 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/21/2023, 8:25:59.424 AM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:46.739 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s UserManager", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2032, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47.441 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 8:50:03.539 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "CLO007", + "alertInfo_loginAccountSid": "S-1-5-21-3622100493-2250088526-2058887289-1000", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": false, + "alertInfo_loginType": "NETWORK", + "alertInfo_loginsUserName": "Guest", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "8C8712F580778F51", + "sourceParentProcessInfo_uniqueId": "8B8712F580778F51", + "sourceProcessInfo_storyline": "8F8712F580778F51", + "sourceProcessInfo_uniqueId": "8E8712F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1733923786116792600, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/21/2023, 8:36:49.111 AM", + "alertInfo_dvEventId": "01H5VSG5P9CM96S5M7D37AMJQ2_59", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/21/2023, 8:37:02.677 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/21/2023, 8:37:02.677 AM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\userinit.exe", + "sourceParentProcessInfo_fileHashMd5": "fc003295-bccc-472c-f80d-e65788f64978", + "sourceParentProcessInfo_fileHashSha1": "43246106034f0fcbb07ecda6be3635a967bac688", + "sourceParentProcessInfo_fileHashSha256": "f098ce116049a2024fa282fd62764159f451a9c1cc21a7845d155d439cf52b27", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\userinit.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "medium", + "sourceParentProcessInfo_name": "userinit.exe", + "sourceParentProcessInfo_pid": 10796, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/21/2023, 4:49:44.429 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "CLO007\\Crest", + "sourceProcessInfo_commandline": "C:\\Windows\\Explorer.EXE", + "sourceProcessInfo_fileHashMd5": "357b678c-68d3-d5ee-86e1-b706fbfd994b", + "sourceProcessInfo_fileHashSha1": "a4e4e2bc502e4ab249b219da357d1aad163ab175", + "sourceProcessInfo_fileHashSha256": "8375581b32e510a1ddf90b1ff8ffb8a756d71e1d5572b1c7c027e9b7393ccd3b", + "sourceProcessInfo_filePath": "C:\\Windows\\explorer.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "medium", + "sourceProcessInfo_name": "explorer.exe", + "sourceProcessInfo_pid": 5000, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 4:49:44.522 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "CLO007\\Crest", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 5:00:04.226 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "WORKGROUP", + "alertInfo_loginAccountSid": "S-1-5-18", + "alertInfo_loginIsAdministratorEquivalent": false, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "INTERACTIVE", + "alertInfo_loginsUserName": "DWM-5", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "D98512F580778F51", + "sourceParentProcessInfo_uniqueId": "D88512F580778F51", + "sourceProcessInfo_storyline": "DD8512F580778F51", + "sourceProcessInfo_uniqueId": "DC8512F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1733809571306024200, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/21/2023, 4:49:54.878 AM", + "alertInfo_dvEventId": "01H5VCGKX654Z6M4GRY5GYDXEQ_319", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/21/2023, 4:50:07.209 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/21/2023, 4:50:07.209 AM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login\" OR EventType = \"Logout", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "\\SystemRoot\\System32\\smss.exe 00000118 000000c0 C:\\Windows\\System32\\WinLogon.exe -SpecialSession", + "sourceParentProcessInfo_fileHashMd5": "49ce4a7f-ed5d-271a-0142-6f2bc262d23c", + "sourceParentProcessInfo_fileHashSha1": "746f5ae87f13a46e88088dea31d1362727b9ec49", + "sourceParentProcessInfo_fileHashSha256": "b6800c2ca4bfec26c8b8553beee774f4ebab741b1a48adcccce79f07062977be", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\smss.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "smss.exe", + "sourceParentProcessInfo_pid": 12104, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 1:42:45.411 PM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\System32\\WinLogon.exe -SpecialSession", + "sourceProcessInfo_fileHashMd5": "bc97817d-5acf-afc4-ab85-ed9c3c576161", + "sourceProcessInfo_fileHashSha1": "2a142db7d20ea7dd8e63341a7cc4c4035c461e64", + "sourceProcessInfo_fileHashSha256": "51750130dcf9442a22eb3a4a4e2ebe77519c95955c9b843abcfe0d03e0ede05a", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\winlogon.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "winlogon.exe", + "sourceProcessInfo_pid": 15044, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 1:42:45.436 PM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 5:40:04.395 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": true, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "REMOTE_INTERACTIVE", + "alertInfo_loginsUserName": "root", + "alertInfo_srcMachineIp": "1.1.1.5", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "server", + "agentDetectionInfo_name": "CENT7", + "agentDetectionInfo_osFamily": "linux", + "agentDetectionInfo_osName": "Linux", + "agentDetectionInfo_osRevision": "CentOS release 7.9.2009 (Core) 3.10.0-1160.92.1.el7.x86_64", + "agentDetectionInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "agentDetectionInfo_version": "23.1.2.9", + "agentRealtimeInfo_id": 1713059693172741400, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "server", + "agentRealtimeInfo_name": "cent7", + "agentRealtimeInfo_os": "linux", + "agentRealtimeInfo_uuid": "6a01777a-1992-45e9-ae8c-5dcfd4475f87", + "alertInfo_alertId": 1733828758193028000, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/21/2023, 5:28:06.847 AM", + "alertInfo_dvEventId": "01H5VEPM5AM6WHVTGF1WKQD7M3_25", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/21/2023, 5:28:14.464 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/21/2023, 5:28:14.464 AM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "/usr/sbin/sshd -D -R", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "f2e3a8c77dc72a358e5c3d0e4cabf278bf7dc211", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "/usr/sbin/sshd", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "unknown", + "sourceParentProcessInfo_name": "sshd", + "sourceParentProcessInfo_pid": 59549, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/21/2023, 5:27:28.900 AM", + "sourceParentProcessInfo_subsystem": "unknown", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "sshd: root@pts/0", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "f2e3a8c77dc72a358e5c3d0e4cabf278bf7dc211", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "/usr/sbin/sshd", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "unknown", + "sourceProcessInfo_name": "sshd", + "sourceProcessInfo_pid": 59555, + "sourceProcessInfo_pidStarttime [UTC]": "7/21/2023, 5:27:34.520 AM", + "sourceProcessInfo_subsystem": "unknown", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "unsigned", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 6:40:03.934 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "WORKGROUP", + "alertInfo_loginAccountSid": "S-1-5-18", + "alertInfo_loginIsAdministratorEquivalent": false, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "INTERACTIVE", + "alertInfo_loginsUserName": "Crest", + "alertInfo_srcMachineIp": "1.1.1.5", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "D23C0EF580778F51", + "sourceProcessInfo_uniqueId": "D13C0EF580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1736756099655035400, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/25/2023, 6:23:59.251 AM", + "alertInfo_dvEventId": "01H65VFT5FJT5WRW54TT0TPT5X_178", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/25/2023, 6:24:20.761 AM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/25/2023, 6:24:20.761 AM", + "ruleInfo_id": 1736743171400115500, + "ruleInfo_name": "CWL547", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EndpointName = \"CLO007", + "ruleInfo_scopeLevel": "account", + "ruleInfo_severity": "Medium", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "C:\\Windows\\system32\\services.exe", + "sourceParentProcessInfo_fileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "sourceParentProcessInfo_fileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "sourceParentProcessInfo_fileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\services.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "services.exe", + "sourceParentProcessInfo_pid": 8, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:46.739 AM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s UserManager", + "sourceProcessInfo_fileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "sourceProcessInfo_fileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "sourceProcessInfo_fileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\svchost.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "svchost.exe", + "sourceProcessInfo_pid": 2032, + "sourceProcessInfo_pidStarttime [UTC]": "7/17/2023, 10:22:47.441 AM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/26/2023, 12:50:03.507 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected": "", + "agentRealtimeInfo_isActive": "", + "agentRealtimeInfo_isDecommissioned": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 27, + "activityUuid": "d985cfbc-6237-4c90-a96e-b4163d6361fc", + "createdAt [UTC]": "7/26/2023, 12:34:34.382 PM", + "id": 1737667216743959600, + "primaryDescription": "The management user Jack logged in to the management console with IP Address 1.1.1.1.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/26/2023, 12:34:34.377 PM", + "userId": 1722465965663983400, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "reason": null, + "role": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "source": "mgmt", + "sourceType": "UI", + "userScope": "account", + "username": "Jack" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/27/2023, 5:00:13.116 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected": "", + "agentRealtimeInfo_isActive": "", + "agentRealtimeInfo_isDecommissioned": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 27, + "activityUuid": "8e51cc95-293a-45dc-b44e-4a0b3bafc1d3", + "createdAt [UTC]": "7/27/2023, 4:43:02.582 AM", + "id": 1738154663645986000, + "primaryDescription": "The management user Dave Patel logged in to the management console with IP Address 1.1.1.1.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/27/2023, 4:43:02.574 AM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "reason": null, + "role": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "source": "mgmt", + "sourceType": "UI", + "userScope": "account", + "username": "Dave Patel" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/27/2023, 5:30:30.296 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected": "", + "agentRealtimeInfo_isActive": "", + "agentRealtimeInfo_isDecommissioned": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 33, + "activityUuid": "3ce06642-38a3-4bf4-9299-7a572011ae22", + "createdAt [UTC]": "7/27/2023, 5:13:53.227 AM", + "id": 1738170187992149500, + "primaryDescription": "The management user Dave Patel logged out of the management console.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/27/2023, 5:13:53.221 AM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "role": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "Dave Patel" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/27/2023, 7:20:03.555 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected": "", + "agentRealtimeInfo_isActive": "", + "agentRealtimeInfo_isDecommissioned": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 33, + "activityUuid": "a26ae595-71f2-426d-a7c1-d17e982a2c77", + "createdAt [UTC]": "7/27/2023, 7:04:49.720 AM", + "id": 1738226026702715400, + "primaryDescription": "The management user Jack logged out of the management console.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/27/2023, 7:04:49.715 AM", + "userId": 1722465965663983400, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "role": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "Jack" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/24/2023, 11:10:02.861 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected": "", + "agentRealtimeInfo_isActive": "", + "agentRealtimeInfo_isDecommissioned": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 133, + "activityUuid": "3333bba1-1b75-4526-b4ac-3aa17c74da31", + "createdAt [UTC]": "7/24/2023, 10:50:54.397 PM", + "id": 1736527876126354700, + "primaryDescription": "The management user Dave Patel failed to log in to the management console.", + "secondaryDescription": "", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/24/2023, 10:50:54.395 PM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site", + "groupName": null, + "ipAddress": null, + "realUser": null, + "role": null, + "scopeLevel": "Site", + "scopeName": "Default site", + "siteName": "Default site", + "sourceType": "API", + "userScope": "site", + "username": "Dave Patel" + }, + "description": "", + "comments": "no active site", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/24/2023, 11:10:02.861 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected": "", + "agentRealtimeInfo_isActive": "", + "agentRealtimeInfo_isDecommissioned": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 133, + "activityUuid": "4240a5e6-adf4-48fe-9243-a042c76739a5", + "createdAt [UTC]": "7/24/2023, 10:55:44.928 PM", + "id": 1736530313294199000, + "primaryDescription": "The management user Dave Patel failed to log in to the management console.", + "secondaryDescription": "", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/24/2023, 10:55:44.926 PM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site", + "groupName": null, + "ipAddress": null, + "realUser": null, + "role": null, + "scopeLevel": "Site", + "scopeName": "Default site", + "siteName": "Default site", + "sourceType": "API", + "userScope": "site", + "username": "Dave Patel" + }, + "description": "", + "comments": "no active site", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 1:20:05.436 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "WORKGROUP", + "alertInfo_loginAccountSid": "S-1-5-18", + "alertInfo_loginIsAdministratorEquivalent": false, + "alertInfo_loginIsSuccessful": true, + "alertInfo_loginType": "INTERACTIVE", + "alertInfo_loginsUserName": "DWM-4", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "D57E12F580778F51", + "sourceParentProcessInfo_uniqueId": "D47E12F580778F51", + "sourceProcessInfo_storyline": "DB7E12F580778F51", + "sourceProcessInfo_uniqueId": "DA7E12F580778F51", + "agentDetectionInfo_machineType": "laptop", + "agentDetectionInfo_name": "CLO007", + "agentDetectionInfo_osFamily": "windows", + "agentDetectionInfo_osName": "Windows 11 Pro", + "agentDetectionInfo_osRevision": 22621, + "agentDetectionInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "agentDetectionInfo_version": "23.1.2.400", + "agentRealtimeInfo_id": 1730979466865875700, + "agentRealtimeInfo_infected": false, + "agentRealtimeInfo_isActive": true, + "agentRealtimeInfo_isDecommissioned": false, + "agentRealtimeInfo_machineType": "laptop", + "agentRealtimeInfo_name": "CLO007", + "agentRealtimeInfo_os": "windows", + "agentRealtimeInfo_uuid": "f25c1ccd-5039-4dcf-812e-79a2aede6358", + "alertInfo_alertId": 1733334535613272300, + "alertInfo_analystVerdict": "Undefined", + "alertInfo_createdAt [UTC]": "7/20/2023, 1:06:06.398 PM", + "alertInfo_dvEventId": "01H5SPGE2BKCTFNPDW0YQH4B13_100", + "alertInfo_eventType": "WINLOGONATTEMPT", + "alertInfo_hitType": "Events", + "alertInfo_incidentStatus": "Unresolved", + "alertInfo_isEdr": true, + "alertInfo_reportedAt [UTC]": "7/20/2023, 1:06:18.543 PM", + "alertInfo_source": "STAR", + "alertInfo_updatedAt [UTC]": "7/20/2023, 1:06:18.543 PM", + "ruleInfo_id": 1733131884149349000, + "ruleInfo_name": "Login Test", + "ruleInfo_queryLang": 1, + "ruleInfo_queryType": "events", + "ruleInfo_s1ql": "EventType = \"Login\" OR EventType = \"Logout", + "ruleInfo_scopeLevel": "site", + "ruleInfo_severity": "Low", + "ruleInfo_treatAsThreat": "UNDEFINED", + "sourceParentProcessInfo_commandline": "\\SystemRoot\\System32\\smss.exe 00000100 000000c0", + "sourceParentProcessInfo_fileHashMd5": "49ce4a7f-ed5d-271a-0142-6f2bc262d23c", + "sourceParentProcessInfo_fileHashSha1": "746f5ae87f13a46e88088dea31d1362727b9ec49", + "sourceParentProcessInfo_fileHashSha256": "b6800c2ca4bfec26c8b8553beee774f4ebab741b1a48adcccce79f07062977be", + "sourceParentProcessInfo_filePath": "C:\\Windows\\System32\\smss.exe", + "sourceParentProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER", + "sourceParentProcessInfo_integrityLevel": "system", + "sourceParentProcessInfo_name": "smss.exe", + "sourceParentProcessInfo_pid": 1292, + "sourceParentProcessInfo_pidStarttime [UTC]": "7/20/2023, 1:05:12.847 PM", + "sourceParentProcessInfo_subsystem": "sys_win32", + "sourceParentProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "sourceProcessInfo_commandline": "winlogon.exe", + "sourceProcessInfo_fileHashMd5": "bc97817d-5acf-afc4-ab85-ed9c3c576161", + "sourceProcessInfo_fileHashSha1": "2a142db7d20ea7dd8e63341a7cc4c4035c461e64", + "sourceProcessInfo_fileHashSha256": "51750130dcf9442a22eb3a4a4e2ebe77519c95955c9b843abcfe0d03e0ede05a", + "sourceProcessInfo_filePath": "C:\\Windows\\System32\\winlogon.exe", + "sourceProcessInfo_fileSignerIdentity": "MICROSOFT WINDOWS", + "sourceProcessInfo_integrityLevel": "system", + "sourceProcessInfo_name": "winlogon.exe", + "sourceProcessInfo_pid": 17052, + "sourceProcessInfo_pidStarttime [UTC]": "7/20/2023, 1:05:12.892 PM", + "sourceProcessInfo_subsystem": "sys_win32", + "sourceProcessInfo_user": "NT AUTHORITY\\SYSTEM", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "signed", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "1/1/1970, 12:00:00.000 AM", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "unknown", + "targetProcessInfo_tgtProcessStartTime [UTC]": "1/1/1970, 12:00:00.000 AM", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits": "", + "isDefault": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": 1712500237934148900, + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": 1712500242422055200, + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected": "", + "agentRealtimeInfo_agentIsActive": "", + "agentRealtimeInfo_agentIsDecommissioned": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists": "", + "threatInfo_failedActions": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless": "", + "threatInfo_isValidCertificate": "", + "threatInfo_mitigatedPreemptively": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reacheDaveentsLimit": "", + "threatInfo_rebootRequired": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": "", + "accountName": "", + "activityType": "", + "activityUuid": "", + "createdAt [UTC]": "", + "id": "", + "primaryDescription": "", + "secondaryDescription": "", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "", + "userId": "", + "event_name": "Alerts.", + "DataFields": "", + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications": "", + "externalId": "", + "externalIp": "", + "firewallEnabled": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession": "", + "infected": "", + "installerType": "", + "isActive": "", + "isDecommissioned": "", + "isPendingUninstall": "", + "isUninstalled": "", + "isUpToDate": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon": "", + "tags_sentinelone": "", + "threatRebootRequired": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + } +] \ No newline at end of file