diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/DCR.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/DCR.json
new file mode 100644
index 00000000000..7901f698342
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/DCR.json
@@ -0,0 +1,688 @@
+{
+ "name": "SentinelOneActivitiesDCR",
+ "apiVersion": "2021-09-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-SentinelOneActivities_API": {
+ "columns": [
+ {
+ "name": "agentUpdatedVersion",
+ "type": "string",
+ "description": "The version of the agent that was updated."
+ },
+ {
+ "name": "userId",
+ "type": "string",
+ "description": "The unique identifier for the user."
+ },
+ {
+ "name": "threatId",
+ "type": "string",
+ "description": "The unique identifier for the threat."
+ },
+ {
+ "name": "primaryDescription",
+ "type": "string",
+ "description": "The primary description of the event."
+ },
+ {
+ "name": "secondaryDescription",
+ "type": "string",
+ "description": "The secondary description of the event."
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "The unique identifier for the record."
+ },
+ {
+ "name": "groupId",
+ "type": "string",
+ "description": "The unique identifier for the group."
+ },
+ {
+ "name": "createdAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was created."
+ },
+ {
+ "name": "accountName",
+ "type": "string",
+ "description": "The name of the account associated with the event."
+ },
+ {
+ "name": "data",
+ "type": "string",
+ "description": "Activity metadata."
+ },
+ {
+ "name": "agentId",
+ "type": "string",
+ "description": "The unique identifier for the agent."
+ },
+ {
+ "name": "hash",
+ "type": "string",
+ "description": "The hash associated with the event."
+ },
+ {
+ "name": "updatedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the record was last updated."
+ },
+ {
+ "name": "description",
+ "type": "string",
+ "description": "The description of the event."
+ },
+ {
+ "name": "activityUuid",
+ "type": "string",
+ "description": "The UUID of the activity associated with the event."
+ },
+ {
+ "name": "siteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "activityType",
+ "type": "real",
+ "description": "The type of activity represented by an integer."
+ },
+ {
+ "name": "siteName",
+ "type": "string",
+ "description": "The name of the site associated with the event."
+ },
+ {
+ "name": "accountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "osFamily",
+ "type": "string",
+ "description": "The operating system family, such as macOS."
+ },
+ {
+ "name": "groupName",
+ "type": "string",
+ "description": "The name of the group associated with the event."
+ },
+ {
+ "name": "comments",
+ "type": "string",
+ "description": "Any comments associated with the event."
+ }
+ ]
+ },
+ "Custom-SentinelOneAgents_API": {
+ "columns": [
+ {
+ "name": "uuid",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "mitigationMode",
+ "type": "string",
+ "description": "The mitigation mode applied."
+ },
+ {
+ "name": "networkStatus",
+ "type": "string",
+ "description": "The network status of the object."
+ },
+ {
+ "name": "installerType",
+ "type": "string",
+ "description": "The type of installer used."
+ },
+ {
+ "name": "mitigationModeSuspicious",
+ "type": "string",
+ "description": "The suspicious mitigation mode applied."
+ },
+ {
+ "name": "isPendingUninstall",
+ "type": "boolean",
+ "description": "Indicates whether the object is pending uninstallation."
+ },
+ {
+ "name": "inRemoteShellSession",
+ "type": "boolean",
+ "description": "Indicates whether the object is in a remote shell session."
+ },
+ {
+ "name": "lastLoggedInUserName",
+ "type": "string",
+ "description": "The username of the last logged-in user."
+ },
+ {
+ "name": "osRevision",
+ "type": "string",
+ "description": "The OS revision."
+ },
+ {
+ "name": "osArch",
+ "type": "string",
+ "description": "The OS architecture."
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "computerName",
+ "type": "string",
+ "description": "The name of the computer."
+ },
+ {
+ "name": "totalMemory",
+ "type": "real",
+ "description": "The total memory available in MB."
+ },
+ {
+ "name": "createdAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was created."
+ },
+ {
+ "name": "groupId",
+ "type": "string",
+ "description": "The unique identifier for the group."
+ },
+ {
+ "name": "lastActiveDate",
+ "type": "string",
+ "description": "The timestamp (UTC) when the object was last active."
+ },
+ {
+ "name": "fullDiskScanLastUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the full disk scan was last updated."
+ },
+ {
+ "name": "allowRemoteShell",
+ "type": "boolean",
+ "description": "Indicates whether remote shell is allowed."
+ },
+ {
+ "name": "rangerVersion",
+ "type": "string",
+ "description": "The version of the ranger."
+ },
+ {
+ "name": "accountName",
+ "type": "string",
+ "description": "The account name."
+ },
+ {
+ "name": "scanStatus",
+ "type": "string",
+ "description": "The scan status of the object."
+ },
+ {
+ "name": "domain",
+ "type": "string",
+ "description": "The domain of the object."
+ },
+ {
+ "name": "missingPermissions",
+ "type": "string",
+ "description": "Details of the missing permissions."
+ },
+ {
+ "name": "isActive",
+ "type": "boolean",
+ "description": "Indicates whether the object is active."
+ },
+ {
+ "name": "groupIp",
+ "type": "string",
+ "description": "The IP address of the group."
+ },
+ {
+ "name": "threatRebootRequired",
+ "type": "boolean",
+ "description": "Indicates whether a reboot is required due to a threat."
+ },
+ {
+ "name": "groupUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the group was last updated."
+ },
+ {
+ "name": "externalId",
+ "type": "string",
+ "description": "The external identifier associated with the object."
+ },
+ {
+ "name": "machineType",
+ "type": "string",
+ "description": "The type of machine."
+ },
+ {
+ "name": "registeredAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the object was registered."
+ },
+ {
+ "name": "appsVulnerabilityStatus",
+ "type": "string",
+ "description": "The vulnerability status of the applications."
+ },
+ {
+ "name": "coreCount",
+ "type": "real",
+ "description": "The number of CPU cores."
+ },
+ {
+ "name": "locations",
+ "type": "string",
+ "description": "The locations associated with the object."
+ },
+ {
+ "name": "scanFinishedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the scan was finished."
+ },
+ {
+ "name": "updatedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the object was last updated."
+ },
+ {
+ "name": "externalIp",
+ "type": "string",
+ "description": "The external IP address of the object."
+ },
+ {
+ "name": "locationType",
+ "type": "string",
+ "description": "The type of location."
+ },
+ {
+ "name": "policyUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the policy was last updated."
+ },
+ {
+ "name": "isDecommissioned",
+ "type": "boolean",
+ "description": "Indicates whether the object is decommissioned."
+ },
+ {
+ "name": "cpuId",
+ "type": "string",
+ "description": "The identifier of the CPU."
+ },
+ {
+ "name": "networkInterfaces",
+ "type": "string",
+ "description": "Details of the network interfaces."
+ },
+ {
+ "name": "isUninstalled",
+ "type": "boolean",
+ "description": "Indicates whether the object is uninstalled."
+ },
+ {
+ "name": "activeDirectory",
+ "type": "string",
+ "description": "Details about the active directory."
+ },
+ {
+ "name": "scanStartedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the scan was started."
+ },
+ {
+ "name": "rangerStatus",
+ "type": "string",
+ "description": "The status of the ranger."
+ },
+ {
+ "name": "siteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "agentVersion",
+ "type": "string",
+ "description": "The version of the agent."
+ },
+ {
+ "name": "osUsername",
+ "type": "string",
+ "description": "The username associated with the operating system."
+ },
+ {
+ "name": "encryptedApplications",
+ "type": "boolean",
+ "description": "Indicates whether the applications are encrypted."
+ },
+ {
+ "name": "lastIpToMgmt",
+ "type": "string",
+ "description": "The last IP address used for management."
+ },
+ {
+ "name": "cpuCount",
+ "type": "real",
+ "description": "The number of CPUs."
+ },
+ {
+ "name": "scanAbortedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the scan was aborted."
+ },
+ {
+ "name": "siteName",
+ "type": "string",
+ "description": "The name of the site."
+ },
+ {
+ "name": "activeThreats",
+ "type": "real",
+ "description": "The number of active threats."
+ },
+ {
+ "name": "infected",
+ "type": "boolean",
+ "description": "Indicates whether the object is infected."
+ },
+ {
+ "name": "consoleMigrationStatus",
+ "type": "string",
+ "description": "The status of the console migration."
+ },
+ {
+ "name": "osType",
+ "type": "string",
+ "description": "The type of operating system."
+ },
+ {
+ "name": "accountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "groupName",
+ "type": "string",
+ "description": "The name of the group."
+ },
+ {
+ "name": "osName",
+ "type": "string",
+ "description": "The name of the operating system."
+ },
+ {
+ "name": "isUpToDate",
+ "type": "boolean",
+ "description": "Indicates whether the object is up to date."
+ },
+ {
+ "name": "licenseKey",
+ "type": "string",
+ "description": "The license key associated with the object."
+ },
+ {
+ "name": "userActionsNeeded",
+ "type": "string",
+ "description": "Details of the user actions needed."
+ },
+ {
+ "name": "modelName",
+ "type": "string",
+ "description": "The model name of the object."
+ },
+ {
+ "name": "networkQuarantineEnabled",
+ "type": "boolean",
+ "description": "Is Network Quarantine Enabled on the device"
+ },
+ {
+ "name": "operationalStateExpiration",
+ "type": "string",
+ "description": "Agent operational state."
+ },
+ {
+ "name": "remoteProfilingState",
+ "type": "string",
+ "description": "Agent remote profiling state."
+ },
+ {
+ "name": "osStartTime",
+ "type":"string",
+ "description": "The Start time of the os."
+ }
+ ]
+ },
+ "Custom-SentinelOneAlerts_API": {
+ "columns": [
+ {
+ "name": "sourceProcessInfo",
+ "type": "string",
+ "description": "Information about the source process."
+ },
+ {
+ "name": "alertInfo",
+ "type": "string",
+ "description": "Details about the alert."
+ },
+ {
+ "name": "agentDetectionInfo",
+ "type": "string",
+ "description": "Detection information related to the agent."
+ },
+ {
+ "name": "ruleInfo",
+ "type": "string",
+ "description": "Information regarding the applied rule."
+ },
+ {
+ "name": "containerInfo",
+ "type": "string",
+ "description": "Information about the container."
+ },
+ {
+ "name": "sourceParentProcessInfo",
+ "type": "string",
+ "description": "Information about the parent process of the source."
+ },
+ {
+ "name": "targetProcessInfo",
+ "type": "string",
+ "description": "Details regarding the target process."
+ },
+ {
+ "name": "kubernetesInfo",
+ "type": "string",
+ "description": "Kubernetes-related information."
+ }
+ ]
+ },
+ "Custom-SentinelOneGroups_API": {
+ "columns": [
+ {
+ "name": "creator",
+ "type": "string",
+ "description": "The name of the creator."
+ },
+ {
+ "name": "registrationToken",
+ "type": "string",
+ "description": "The token used for registration."
+ },
+ {
+ "name": "isDefault",
+ "type": "boolean",
+ "description": "Indicates whether this is the default setting."
+ },
+ {
+ "name": "updatedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the object was last updated."
+ },
+ {
+ "name": "totalAgents",
+ "type": "real",
+ "description": "The total number of agents."
+ },
+ {
+ "name": "inherits",
+ "type": "boolean",
+ "description": "Indicates whether the object inherits properties."
+ },
+ {
+ "name": "name",
+ "type": "string",
+ "description": "The name of the object."
+ },
+ {
+ "name": "rank",
+ "type": "real",
+ "description": "The rank of the object."
+ },
+ {
+ "name": "filterName",
+ "type": "string",
+ "description": "The name of the filter applied."
+ },
+ {
+ "name": "type",
+ "type": "string",
+ "description": "The type of the object."
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "createdAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was created."
+ },
+ {
+ "name": "creatorId",
+ "type": "string",
+ "description": "The unique identifier of the creator."
+ },
+ {
+ "name": "siteId",
+ "type": "string",
+ "description": "The unique identifier of the site."
+ },
+ {
+ "name": "filterId",
+ "type": "string",
+ "description": "The unique identifier of the filter."
+ }
+ ]
+ },
+ "Custom-SentinelOneThreats_API": {
+ "columns": [
+ {
+ "name": "threatInfo",
+ "type": "string",
+ "description": "The information regarding the threat."
+ },
+ {
+ "name": "agentDetectionInfo",
+ "type": "string",
+ "description": "The information of the agent on detectino."
+ },
+ {
+ "name": "agentRealtimeInfo",
+ "type": "string",
+ "description": "The information of the agent in real time."
+ },
+ {
+ "name": "indicators",
+ "type": "string",
+ "description": "Details of the indicators."
+ },
+ {
+ "name": "whiteningOptions",
+ "type": "string",
+ "description": "Details of the whitening options."
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "Event Id."
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "not important. changed by the script",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-SentinelOneActivities_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = createdAt, AgentUpdatedVersion = agentUpdatedVersion, UserId = userId, ThreatId = threatId, PrimaryDescription = primaryDescription, SecondaryDescription = secondaryDescription, Id = id, GroupId = groupId, CreatedAt = createdAt, AccountName = accountName, Data = data, AgentId = agentId, Hash = hash, UpdatedAt = todatetime(updatedAt), Description = description, ActivityUuid = activityUuid, SiteId = siteId, ActivityType = activityType, SiteName = siteName, AccountId = accountId, OsFamily = osFamily, GroupName = groupName, Comments = comments",
+ "outputStream": "Custom-SentinelOneActivities_CL"
+ },
+ {
+ "streams": [
+ "Custom-SentinelOneAgents_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = createdAt, Uuid = uuid, MitigationMode = mitigationMode, NetworkStatus = networkStatus, InstallerType = installerType, MitigationModeSuspicious = mitigationModeSuspicious, IsPendingUninstall = isPendingUninstall, InRemoteShellSession = inRemoteShellSession, LastLoggedInUserName = lastLoggedInUserName, OsRevision = osRevision, OsArch = osArch, Id = id, ComputerName = computerName, TotalMemory = totalMemory, CreatedAt = createdAt, GroupId = groupId, LastActiveDate = todatetime(lastActiveDate), FullDiskScanLastUpdatedAt = fullDiskScanLastUpdatedAt, AllowRemoteShell = allowRemoteShell, RangerVersion = rangerVersion, AccountName = accountName, ScanStatus = scanStatus, Domain = domain, MissingPermissions = missingPermissions, IsActive = isActive, GroupIp = groupIp, ThreatRebootRequired = threatRebootRequired, GroupUpdatedAt = groupUpdatedAt, ExternalId = externalId, MachineType = machineType, RegisteredAt = todatetime(registeredAt), AppsVulnerabilityStatus = appsVulnerabilityStatus, CoreCount = coreCount, Locations = locations, ScanFinishedAt = todatetime(scanFinishedAt), UpdatedAt = todatetime(updatedAt), ExternalIp = externalIp, LocationType = locationType, PolicyUpdatedAt = policyUpdatedAt, IsDecommissioned = isDecommissioned, CpuId = cpuId, NetworkInterfaces = networkInterfaces, IsUninstalled = isUninstalled, ActiveDirectory = activeDirectory, ScanStartedAt = todatetime(scanStartedAt), RangerStatus = rangerStatus, SiteId = siteId, AgentVersion = agentVersion, OsUsername = osUsername, EncryptedApplications = encryptedApplications, LastIpToMgmt = lastIpToMgmt, CpuCount = cpuCount, ScanAbortedAt = scanAbortedAt, SiteName = siteName, ActiveThreats = activeThreats, Infected = infected, ConsoleMigrationStatus = consoleMigrationStatus, OsType = osType, AccountId = accountId, GroupName = groupName, OsName = osName, IsUpToDate = isUpToDate, LicenseKey = licenseKey, UserActionsNeeded = userActionsNeeded, ModelName = modelName, OsStartTime = todatetime(osStartTime), NetworkQuarantineEnabled=networkQuarantineEnabled,OperationalStateExpiration=operationalStateExpiration,RemoteProfilingState=remoteProfilingState",
+ "outputStream": "Custom-SentinelOneAgents_CL"
+ },
+ {
+ "streams": [
+ "Custom-SentinelOneAlerts_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = todatetime(parse_json(todynamic(alertInfo)).createdAt), SourceProcessInfo = sourceProcessInfo, AlertInfo = alertInfo, AgentDetectionInfo = agentDetectionInfo, RuleInfo = ruleInfo, ContainerInfo = containerInfo, SourceParentProcessInfo = sourceParentProcessInfo, TargetProcessInfo = targetProcessInfo, KubernetesInfo = kubernetesInfo",
+ "outputStream": "Custom-SentinelOneAlerts_CL"
+ },
+ {
+ "streams": [
+ "Custom-SentinelOneGroups_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = createdAt, Creator = creator, RegistrationToken = registrationToken, IsDefault = tostring(isDefault), UpdatedAt = todatetime(updatedAt), TotalAgents = tostring(totalAgents), Inherits = tostring(inherits), Name = name, Rank = rank, FilterName = filterName, GroupType = type, Id = id, CreatedAt = createdAt, CreatorId = creatorId, SiteId = siteId, FilterId = filterId",
+ "outputStream": "Custom-SentinelOneGroups_CL"
+ },
+ {
+ "streams": [
+ "Custom-SentinelOneThreats_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | extend ThreatInfo = parse_json(todynamic(threatInfo)), AgentDetectionInfo=parse_json(todynamic(agentDetectionInfo)), AgentRealtimeInfo=parse_json(todynamic(agentRealtimeInfo)) | project TimeGenerated = todatetime(ThreatInfo.createdAt), FilePath = tostring(ThreatInfo.filePath), CloudVerdict = tostring(ThreatInfo.cloudVerdict), MitigationMode = tostring(AgentDetectionInfo.mitigationMode), AgentOsType = tostring(AgentRealtimeInfo.agentOsType), AgentInfected = tobool(AgentRealtimeInfo.agentInfected), InitiatingUserId = tostring(ThreatInfo.initiatingUserId), Engines = tostring(ThreatInfo.engines), Id = id, FileExtensionType = tostring(ThreatInfo.fileExtensionType), MitigationStatus = tostring(ThreatInfo.mitigationStatus), AgentDomain = tostring(AgentDetectionInfo.agentDomain), CreatedAt = todatetime(ThreatInfo.createdAt), IsCertValid = tobool(ThreatInfo.isValidCertificate), FileDisplayName = tostring(ThreatInfo.filePath), AgentIp = tostring(AgentDetectionInfo.agentIpV4), AccountName = tostring(AgentRealtimeInfo.accountName), AgentMachineType = tostring(AgentRealtimeInfo.agentMachineType), FileVerificationType = tostring(ThreatInfo.fileVerificationType), Indicators = indicators, InitiatedByDescription = tostring(ThreatInfo.initiatedByDescription), AutomaticallyResolved = tobool(ThreatInfo.automaticallyResolved), AgentId = tostring(AgentRealtimeInfo.agentId), ProcessArguments = tostring(ThreatInfo.maliciousProcessArguments), MitigationReport = tostring(AgentDetectionInfo.mitigationReport), ThreatName = tostring(ThreatInfo.threatName), ClassificationSource = tostring(ThreatInfo.classificationSource), UpdatedAt = todatetime(ThreatInfo.updatedAt), InitiatedBy = tostring(ThreatInfo.initiatedBy), AgentNetworkStatus = tostring(AgentRealtimeInfo.agentNetworkStatus), AgentComputerName = tostring(AgentRealtimeInfo.agentComputerName), Classification = tostring(ThreatInfo.classification), CertId = tostring(ThreatInfo.certificateId), AgentIsActive = tobool(AgentRealtimeInfo.agentIsActive), SiteId = tostring(AgentDetectionInfo.siteId), AgentVersion = tostring(AgentDetectionInfo.agentVersion), FileContentHash = tostring(ThreatInfo.md5), WhiteningOptions = whiteningOptions,FileSha256 = tostring(ThreatInfo.sha256), Username = tostring(ThreatInfo.initiatingUsername), AgentIsDecommissioned = tobool(AgentDetectionInfo.agentIsDecommissioned), CollectionId = tostring(ThreatInfo.collectionId), SiteName = tostring(AgentDetectionInfo.siteName), AccountId = tostring(AgentDetectionInfo.accountId), ThreatInfo, AgentDetectionInfo, AgentRealtimeInfo",
+ "outputStream": "Custom-SentinelOneThreats_CL"
+
+ }
+ ],
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+
+ }
+}
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/PollerConfig.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/PollerConfig.json
new file mode 100644
index 00000000000..2db5e1d412f
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/PollerConfig.json
@@ -0,0 +1,338 @@
+[{
+ "name": "SentinelOnePoller_activities_created_events",
+ "apiVersion": "2022-10-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneActivities_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName" : "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'activities')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "createdAt__gt" : "{_QueryWindowStartTime}",
+ "createdAt__lt" : "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "1000",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": ["$.data"]
+ }
+ }
+},
+{
+ "name": "SentinelOnePoller_agents_created_events",
+ "apiVersion": "2022-10-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneAgents_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName" : "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'agents')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "createdAt__gt" : "{_QueryWindowStartTime}",
+ "createdAt__lt" : "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "1000",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": ["$.data"]
+ }
+ }
+}
+,
+{
+ "name": "SentinelOnePoller_agents_updated_events",
+ "apiVersion": "2022-10-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneAgents_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName" : "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'agents')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "updatedAt__gt" : "{_QueryWindowStartTime}",
+ "updatedAt__lt" : "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "200",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": ["$.data"]
+ }
+ }
+},
+{
+ "name": "SentinelOnePoller_alerts_created_events",
+ "apiVersion": "2022-10-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneAlerts_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName" : "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'cloud-detection/alerts')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "createdAt__gt" : "{_QueryWindowStartTime}",
+ "createdAt__lt" : "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "1000",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": ["$.data"]
+ }
+ }
+},
+{
+ "name": "SentinelOnePoller_groups_updated_events",
+ "apiVersion": "2022-10-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneGroups_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName" : "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'groups')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "updatedAt__gt" : "{_QueryWindowStartTime}",
+ "updatedAt__lt" : "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "200",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": ["$.data"]
+ }
+ }
+},
+{
+ "name": "SentinelOnePoller_threats_created_events",
+ "apiVersion": "2022-10-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneThreats_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName" : "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'threats')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "createdAt__gt" : "{_QueryWindowStartTime}",
+ "createdAt__lt" : "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "1000",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": ["$.data"]
+ }
+ }
+},
+{
+ "name": "SentinelOnePoller_threats_updated_events",
+ "apiVersion": "2022-10-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneThreats_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName" : "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'threats')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "updatedAt__gt" : "{_QueryWindowStartTime}",
+ "updatedAt__lt" : "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "200",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": ["$.data"]
+ }
+ }
+}
+]
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json
new file mode 100644
index 00000000000..8ca9122791c
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json
@@ -0,0 +1,164 @@
+{
+ "name": "SentinelOne",
+ "apiVersion": "2024-01-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "SentinelOne",
+ "title": "SentinelOne",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "The [SentinelOne](https://usea1-nessat.sentinelone.net/api-doc/overview) data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the SentinelOne API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.",
+ "graphQueries": [
+ {
+ "metricName": "Total activities logs received",
+ "legend": "SentinelOne Activities Logs",
+ "baseQuery": "SentinelOneActivities_CL"
+ },
+ {
+ "metricName": "Total agents logs received",
+ "legend": "SentinelOne Agents Logs",
+ "baseQuery": "SentinelOneAgents_CL"
+ },
+ {
+ "metricName": "Total groups logs received",
+ "legend": "SentinelOne Groups Logs",
+ "baseQuery": "SentinelOneGroups_CL"
+ },
+ {
+ "metricName": "Total threats logs received",
+ "legend": "SentinelOne Threats Logs",
+ "baseQuery": "SentinelOneThreats_CL"
+ },
+ {
+ "metricName": "Total alerts logs received",
+ "legend": "SentinelOne Alerts Logs",
+ "baseQuery": "SentinelOneAlerts_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of SentinelOne activities logs",
+ "query": "SentinelOneActivities_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne groups logs",
+ "query": "SentinelOneGroups_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne threats logs",
+ "query": "SentinelOneThreats_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne agents logs",
+ "query": "SentinelOneAgents_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne alerts logs",
+ "query": "SentinelOneAlerts_CL| take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "SentinelOneActivities_CL",
+ "lastDataReceivedQuery": "SentinelOneActivities_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneAgents_CL",
+ "lastDataReceivedQuery": "SentinelOneAgents_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneGroups_CL",
+ "lastDataReceivedQuery": "SentinelOneGroups_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneThreats_CL",
+ "lastDataReceivedQuery": "SentinelOneThreats_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneAlerts_CL",
+ "lastDataReceivedQuery": "SentinelOneAlerts_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "tenant": null,
+ "licenses": null,
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true,
+ "action": false
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### Configuration steps for the SentinelOne API \n Follow the instructions to obtain the credentials. You can also follow the [guide](https://usea1-nessat.sentinelone.net/docs/en/how-to-automate-api-token-generation.html#how-to-automate-api-token-generation) to generate API key."
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 1. Retrieve SentinelOne Management URL\n 1.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**] copy the URL link above without the URL path."
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Retrieve API Token\n 2.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**]\n 2.3. In [**Settings**] view click on [**USERS**].\n 2.4. In the [**USERS**] Page click on [**Service Users**] -> [**Actions**] -> [**Create new service user**].\n 2.5. Choose [**Expiration date**] and [**scope**] (by site) and click on [**Create User**].\n 2.6. Once the [**Service User**] is created copy the [**API Token**] from page and press [**Save**]"
+ }
+ },
+ {
+ "parameters": {
+ "label": "SentinelOne Management URL",
+ "placeholder": "https://example.sentinelone.net/",
+ "type": "text",
+ "name": "managementUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "label": "API Token",
+ "placeholder": "API Token",
+ "type": "password",
+ "name": "apitoken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "label": "toggle",
+ "name": "toggle"
+ },
+ "type": "ConnectionToggleButton"
+ }
+ ],
+ "innerSteps": null
+ }
+ ],
+ "isConnectivityCriteriasMatchSome": false
+ }
+ }
+}
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/solutionMetadata.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/solutionMetadata.json
new file mode 100644
index 00000000000..18b9f7abd07
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/solutionMetadata.json
@@ -0,0 +1,28 @@
+{
+ "SolutionName":"SentinelOne",
+ "SolutionAuthor": "Microsoft",
+ "SolutionVersion":"1.0.1",
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-sentinelone",
+ "PackageId": "azuresentinel.azure-sentinel-SentinelOne",
+ "TemplateName": "SentinelOneTemplatev2",
+ "ConnectorDefinitionTemplateVersion": "1.0.1",
+ "DataConnectorsTemplateVersion": "1.0.1",
+ "firstPublishDate": "2024-09-08",
+ "packageIcon": "sentinel_one_edr_logo",
+ "SolutionTier": "Microsoft",
+ "providers": [
+ "SentinelOne"
+ ],
+ "categories": {
+ "domains": ["Security - Threat Protection"],
+ "verticals": []
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+
+}
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Activities.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Activities.json
new file mode 100644
index 00000000000..4fe20ed9487
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Activities.json
@@ -0,0 +1,130 @@
+
+{
+ "name": "SentinelOneActivities_CL",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "apiVersion": "2021-03-01-privatepreview",
+ "tags": {},
+ "properties": {
+ "schema": {
+ "name": "SentinelOneActivities_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "AgentUpdatedVersion",
+ "type": "string",
+ "description": "The version of the agent that was updated."
+ },
+ {
+ "name": "UserId",
+ "type": "string",
+ "description": "The unique identifier for the user."
+ },
+ {
+ "name": "ThreatId",
+ "type": "string",
+ "description": "The unique identifier for the threat."
+ },
+ {
+ "name": "PrimaryDescription",
+ "type": "string",
+ "description": "The primary description of the event."
+ },
+ {
+ "name": "SecondaryDescription",
+ "type": "string",
+ "description": "The secondary description of the event."
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "The unique identifier for the record."
+ },
+ {
+ "name": "GroupId",
+ "type": "string",
+ "description": "The unique identifier for the group."
+ },
+ {
+ "name": "CreatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was created."
+ },
+ {
+ "name": "AccountName",
+ "type": "string",
+ "description": "The name of the account associated with the event."
+ },
+ {
+ "name": "Data",
+ "type": "string",
+ "description": "Activity metadata."
+ },
+ {
+ "name": "AgentId",
+ "type": "string",
+ "description": "The unique identifier for the agent."
+ },
+ {
+ "name": "Hash",
+ "type": "string",
+ "description": "The hash associated with the event."
+ },
+ {
+ "name": "UpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was last updated."
+ },
+ {
+ "name": "Description",
+ "type": "string",
+ "description": "The description of the event."
+ },
+ {
+ "name": "ActivityUuid",
+ "type": "string",
+ "description": "The UUID of the activity associated with the event."
+ },
+ {
+ "name": "SiteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "ActivityType",
+ "type": "real",
+ "description": "The type of activity represented by an integer."
+ },
+ {
+ "name": "SiteName",
+ "type": "string",
+ "description": "The name of the site associated with the event."
+ },
+ {
+ "name": "AccountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "OsFamily",
+ "type": "string",
+ "description": "The operating system family, such as macOS."
+ },
+ {
+ "name": "GroupName",
+ "type": "string",
+ "description": "The name of the group associated with the event."
+ },
+ {
+ "name": "Comments",
+ "type": "string",
+ "description": "Any comments associated with the event."
+ }
+ ]
+ }
+ }
+ }
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Agents.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Agents.json
new file mode 100644
index 00000000000..7a87a830e73
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Agents.json
@@ -0,0 +1,360 @@
+
+{
+ "name": "SentinelOneAgents_CL",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "apiVersion": "2021-03-01-privatepreview",
+ "tags": {},
+ "properties": {
+ "schema": {
+ "name": "SentinelOneAgents_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "Uuid",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "MitigationMode",
+ "type": "string",
+ "description": "The mitigation mode applied."
+ },
+ {
+ "name": "NetworkStatus",
+ "type": "string",
+ "description": "The network status of the object."
+ },
+ {
+ "name": "InstallerType",
+ "type": "string",
+ "description": "The type of installer used."
+ },
+ {
+ "name": "MitigationModeSuspicious",
+ "type": "string",
+ "description": "The suspicious mitigation mode applied."
+ },
+ {
+ "name": "IsPendingUninstall",
+ "type": "boolean",
+ "description": "Indicates whether the object is pending uninstallation."
+ },
+ {
+ "name": "InRemoteShellSession",
+ "type": "boolean",
+ "description": "Indicates whether the object is in a remote shell session."
+ },
+ {
+ "name": "LastLoggedInUserName",
+ "type": "string",
+ "description": "The username of the last logged-in user."
+ },
+ {
+ "name": "OsRevision",
+ "type": "string",
+ "description": "The OS revision."
+ },
+ {
+ "name": "OsArch",
+ "type": "string",
+ "description": "The OS architecture."
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "ComputerName",
+ "type": "string",
+ "description": "The name of the computer."
+ },
+ {
+ "name": "TotalMemory",
+ "type": "real",
+ "description": "The total memory available in MB."
+ },
+ {
+ "name": "CreatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was created."
+ },
+ {
+ "name": "GroupId",
+ "type": "string",
+ "description": "The unique identifier for the group."
+ },
+ {
+ "name": "LastActiveDate",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was last active."
+ },
+ {
+ "name": "FullDiskScanLastUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the full disk scan was last updated."
+ },
+ {
+ "name": "AllowRemoteShell",
+ "type": "boolean",
+ "description": "Indicates whether remote shell is allowed."
+ },
+ {
+ "name": "RangerVersion",
+ "type": "string",
+ "description": "The version of the ranger."
+ },
+ {
+ "name": "AccountName",
+ "type": "string",
+ "description": "The account name."
+ },
+ {
+ "name": "ScanStatus",
+ "type": "string",
+ "description": "The scan status of the object."
+ },
+ {
+ "name": "Domain",
+ "type": "string",
+ "description": "The domain of the object."
+ },
+ {
+ "name": "MissingPermissions",
+ "type": "string",
+ "description": "Details of the missing permissions."
+ },
+ {
+ "name": "IsActive",
+ "type": "boolean",
+ "description": "Indicates whether the object is active."
+ },
+ {
+ "name": "GroupIp",
+ "type": "string",
+ "description": "The IP address of the group."
+ },
+ {
+ "name": "ThreatRebootRequired",
+ "type": "boolean",
+ "description": "Indicates whether a reboot is required due to a threat."
+ },
+ {
+ "name": "GroupUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the group was last updated."
+ },
+ {
+ "name": "ExternalId",
+ "type": "string",
+ "description": "The external identifier associated with the object."
+ },
+ {
+ "name": "MachineType",
+ "type": "string",
+ "description": "The type of machine."
+ },
+ {
+ "name": "RegisteredAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was registered."
+ },
+ {
+ "name": "AppsVulnerabilityStatus",
+ "type": "string",
+ "description": "The vulnerability status of the applications."
+ },
+ {
+ "name": "CoreCount",
+ "type": "real",
+ "description": "The number of CPU cores."
+ },
+ {
+ "name": "Locations",
+ "type": "string",
+ "description": "The locations associated with the object."
+ },
+ {
+ "name": "ScanFinishedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the scan was finished."
+ },
+ {
+ "name": "UpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was last updated."
+ },
+ {
+ "name": "ExternalIp",
+ "type": "string",
+ "description": "The external IP address of the object."
+ },
+ {
+ "name": "LocationType",
+ "type": "string",
+ "description": "The type of location."
+ },
+ {
+ "name": "PolicyUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the policy was last updated."
+ },
+ {
+ "name": "IsDecommissioned",
+ "type": "boolean",
+ "description": "Indicates whether the object is decommissioned."
+ },
+ {
+ "name": "CpuId",
+ "type": "string",
+ "description": "The identifier of the CPU."
+ },
+ {
+ "name": "NetworkInterfaces",
+ "type": "string",
+ "description": "Details of the network interfaces."
+ },
+ {
+ "name": "IsUninstalled",
+ "type": "boolean",
+ "description": "Indicates whether the object is uninstalled."
+ },
+ {
+ "name": "ActiveDirectory",
+ "type": "string",
+ "description": "Details about the active directory."
+ },
+ {
+ "name": "ScanStartedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the scan was started."
+ },
+ {
+ "name": "RangerStatus",
+ "type": "string",
+ "description": "The status of the ranger."
+ },
+ {
+ "name": "SiteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "AgentVersion",
+ "type": "string",
+ "description": "The version of the agent."
+ },
+ {
+ "name": "OsUsername",
+ "type": "string",
+ "description": "The username associated with the operating system."
+ },
+ {
+ "name": "EncryptedApplications",
+ "type": "boolean",
+ "description": "Indicates whether the applications are encrypted."
+ },
+ {
+ "name": "LastIpToMgmt",
+ "type": "string",
+ "description": "The last IP address used for management."
+ },
+ {
+ "name": "CpuCount",
+ "type": "real",
+ "description": "The number of CPUs."
+ },
+ {
+ "name": "ScanAbortedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the scan was aborted."
+ },
+ {
+ "name": "SiteName",
+ "type": "string",
+ "description": "The name of the site."
+ },
+ {
+ "name": "ActiveThreats",
+ "type": "real",
+ "description": "The number of active threats."
+ },
+ {
+ "name": "Infected",
+ "type": "boolean",
+ "description": "Indicates whether the object is infected."
+ },
+ {
+ "name": "ConsoleMigrationStatus",
+ "type": "string",
+ "description": "The status of the console migration."
+ },
+ {
+ "name": "OsType",
+ "type": "string",
+ "description": "The type of operating system."
+ },
+ {
+ "name": "AccountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "GroupName",
+ "type": "string",
+ "description": "The name of the group."
+ },
+ {
+ "name": "OsName",
+ "type": "string",
+ "description": "The name of the operating system."
+ },
+ {
+ "name": "IsUpToDate",
+ "type": "boolean",
+ "description": "Indicates whether the object is up to date."
+ },
+ {
+ "name": "LicenseKey",
+ "type": "string",
+ "description": "The license key associated with the object."
+ },
+ {
+ "name": "UserActionsNeeded",
+ "type": "string",
+ "description": "Details of the user actions needed."
+ },
+ {
+ "name": "ModelName",
+ "type": "string",
+ "description": "The model name of the object."
+ },
+ {
+ "name": "OsStartTime",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the operating system started."
+ },
+ {
+ "name": "NetworkQuarantineEnabled",
+ "type": "boolean",
+ "description": "Is Network Quarantine Enabled on the device."
+ },
+ {
+ "name": "OperationalStateExpiration",
+ "type": "string",
+ "description": "Agent operational state."
+ },
+ {
+ "name": "RemoteProfilingState",
+ "type": "string",
+ "description": "Agent remote profiling state."
+ }
+ ]
+ }
+ }
+ }
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Alerts.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Alerts.json
new file mode 100644
index 00000000000..446a8e45813
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Alerts.json
@@ -0,0 +1,60 @@
+
+{
+ "name": "SentinelOneAlerts_CL",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "apiVersion": "2021-03-01-privatepreview",
+ "tags": {},
+ "properties": {
+ "schema": {
+ "name": "SentinelOneAlerts_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "SourceProcessInfo",
+ "type": "string",
+ "description": "Information about the source process."
+ },
+ {
+ "name": "AlertInfo",
+ "type": "string",
+ "description": "Details about the alert."
+ },
+ {
+ "name": "AgentDetectionInfo",
+ "type": "string",
+ "description": "Detection information related to the agent."
+ },
+ {
+ "name": "RuleInfo",
+ "type": "string",
+ "description": "Information regarding the applied rule."
+ },
+ {
+ "name": "ContainerInfo",
+ "type": "string",
+ "description": "Information about the container."
+ },
+ {
+ "name": "SourceParentProcessInfo",
+ "type": "string",
+ "description": "Information about the parent process of the source."
+ },
+ {
+ "name": "TargetProcessInfo",
+ "type": "string",
+ "description": "Details regarding the target process."
+ },
+ {
+ "name": "KubernetesInfo",
+ "type": "string",
+ "description": "Kubernetes-related information."
+ }
+ ]
+ }
+ }
+ }
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Groups.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Groups.json
new file mode 100644
index 00000000000..cb3ce6dbc39
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Groups.json
@@ -0,0 +1,95 @@
+
+{
+ "name": "SentinelOneGroups_CL",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "apiVersion": "2021-03-01-privatepreview",
+ "tags": {},
+ "properties": {
+ "schema": {
+ "name": "SentinelOneGroups_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "Creator",
+ "type": "string",
+ "description": "The name of the creator."
+ },
+ {
+ "name": "RegistrationToken",
+ "type": "string",
+ "description": "The token used for registration."
+ },
+ {
+ "name": "IsDefault",
+ "type": "string",
+ "description": "Indicates whether this is the default setting."
+ },
+ {
+ "name": "UpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was last updated."
+ },
+ {
+ "name": "TotalAgents",
+ "type": "string",
+ "description": "The total number of agents."
+ },
+ {
+ "name": "Inherits",
+ "type": "string",
+ "description": "Indicates whether the object inherits properties."
+ },
+ {
+ "name": "Name",
+ "type": "string",
+ "description": "The name of the object."
+ },
+ {
+ "name": "Rank",
+ "type": "real",
+ "description": "The rank of the object."
+ },
+ {
+ "name": "FilterName",
+ "type": "string",
+ "description": "The name of the filter applied."
+ },
+ {
+ "name": "GroupType",
+ "type": "string",
+ "description": "The type of the object."
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "CreatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was created."
+ },
+ {
+ "name": "CreatorId",
+ "type": "string",
+ "description": "The unique identifier of the creator."
+ },
+ {
+ "name": "SiteId",
+ "type": "string",
+ "description": "The unique identifier of the site."
+ },
+ {
+ "name": "FilterId",
+ "type": "string",
+ "description": "The unique identifier of the filter."
+ }
+ ]
+ }
+ }
+ }
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Threats.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Threats.json
new file mode 100644
index 00000000000..35dfb58bbe3
--- /dev/null
+++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Threats.json
@@ -0,0 +1,250 @@
+
+{
+ "name": "SentinelOneThreats_CL",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "apiVersion": "2021-03-01-privatepreview",
+ "tags": {},
+ "properties": {
+ "schema": {
+ "name": "SentinelOneThreats_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "FilePath",
+ "type": "string",
+ "description": "The path of the file."
+ },
+ {
+ "name": "CloudVerdict",
+ "type": "string",
+ "description": "The cloud verdict for the file."
+ },
+ {
+ "name": "MitigationMode",
+ "type": "string",
+ "description": "The mode of mitigation applied."
+ },
+ {
+ "name": "AgentOsType",
+ "type": "string",
+ "description": "The operating system type of the agent."
+ },
+ {
+ "name": "AgentInfected",
+ "type": "boolean",
+ "description": "Indicates whether the agent is infected."
+ },
+ {
+ "name": "InitiatingUserId",
+ "type": "string",
+ "description": "The unique identifier for the initiating user."
+ },
+ {
+ "name": "Engines",
+ "type": "string",
+ "description": "Details of the engines used."
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "The unique identifier for the record."
+ },
+ {
+ "name": "FileExtensionType",
+ "type": "string",
+ "description": "The type of file extension."
+ },
+ {
+ "name": "MitigationStatus",
+ "type": "string",
+ "description": "The status of mitigation."
+ },
+ {
+ "name": "AgentDomain",
+ "type": "string",
+ "description": "The domain of the agent."
+ },
+ {
+ "name": "CreatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was created."
+ },
+ {
+ "name": "IsCertValid",
+ "type": "boolean",
+ "description": "Indicates whether the certificate is valid."
+ },
+ {
+ "name": "FileDisplayName",
+ "type": "string",
+ "description": "The display name of the file."
+ },
+ {
+ "name": "AgentIp",
+ "type": "string",
+ "description": "The IP address of the agent."
+ },
+ {
+ "name": "AccountName",
+ "type": "string",
+ "description": "The name of the account associated with the event."
+ },
+ {
+ "name": "AgentMachineType",
+ "type": "string",
+ "description": "The machine type of the agent."
+ },
+ {
+ "name": "FileVerificationType",
+ "type": "string",
+ "description": "The type of file verification."
+ },
+ {
+ "name": "Indicators",
+ "type": "string",
+ "description": "Details of the indicators."
+ },
+ {
+ "name": "InitiatedByDescription",
+ "type": "string",
+ "description": "Description of the initiated by field."
+ },
+ {
+ "name": "AutomaticallyResolved",
+ "type": "boolean",
+ "description": "Indicates whether the issue was automatically resolved."
+ },
+ {
+ "name": "AgentId",
+ "type": "string",
+ "description": "The unique identifier for the agent."
+ },
+ {
+ "name": "ProcessArguments",
+ "type": "string",
+ "description": "The unique identifier for the malicious group."
+ },
+ {
+ "name": "MitigationReport",
+ "type": "string",
+ "description": "Report of the actions taken by the Agent."
+ },
+ {
+ "name": "ThreatName",
+ "type": "string",
+ "description": "Details about the threat name."
+ },
+ {
+ "name": "ClassificationSource",
+ "type": "string",
+ "description": "The source of the classification."
+ },
+ {
+ "name": "UpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was last updated."
+ },
+ {
+ "name": "InitiatedBy",
+ "type": "string",
+ "description": "Indicates by whom or what the action was initiated."
+ },
+ {
+ "name": "AgentNetworkStatus",
+ "type": "string",
+ "description": "The network status of the agent."
+ },
+ {
+ "name": "AgentComputerName",
+ "type": "string",
+ "description": "The computer name of the agent."
+ },
+ {
+ "name": "Classification",
+ "type": "string",
+ "description": "The classification of the event."
+ },
+ {
+ "name": "CertId",
+ "type": "string",
+ "description": "The certificate ID."
+ },
+ {
+ "name": "AgentIsActive",
+ "type": "boolean",
+ "description": "Indicates whether the agent is active."
+ },
+ {
+ "name": "SiteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "AgentVersion",
+ "type": "string",
+ "description": "The version of the agent."
+ },
+ {
+ "name": "FileContentHash",
+ "type": "string",
+ "description": "The hash of the file content."
+ },
+ {
+ "name": "WhiteningOptions",
+ "type": "string",
+ "description": "Details of the whitening options."
+ },
+ {
+ "name": "Username",
+ "type": "string",
+ "description": "The username associated with the event."
+ },
+ {
+ "name": "FileSha256",
+ "type": "string",
+ "description": "The SHA-256 hash of the file."
+ },
+ {
+ "name": "AgentIsDecommissioned",
+ "type": "boolean",
+ "description": "Indicates whether the agent is decommissioned."
+ },
+ {
+ "name": "CollectionId",
+ "type": "string",
+ "description": "The unique identifier for the collection."
+ },
+ {
+ "name": "SiteName",
+ "type": "string",
+ "description": "The name of the site."
+ },
+ {
+ "name": "AccountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "ThreatInfo",
+ "type": "dynamic",
+ "description": "The information about the threat."
+ },
+ {
+ "name": "AgentDetectionInfo",
+ "type": "dynamic",
+ "description": "The information of the agent in detection."
+ },
+ {
+ "name": "AgentRealtimeInfo",
+ "type": "dynamic",
+ "description": "The information of the agent in realtime."
+ }
+ ]
+ }
+ }
+ }
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Data/Solution_SentinelOne.json b/Solutions/SentinelOne/Data/Solution_SentinelOne.json
index b5c5e25df7d..83fb11143cc 100644
--- a/Solutions/SentinelOne/Data/Solution_SentinelOne.json
+++ b/Solutions/SentinelOne/Data/Solution_SentinelOne.json
@@ -1,45 +1,45 @@
{
- "Name": "SentinelOne",
- "Author": "Microsoft - support@microsoft.com",
- "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [SentinelOne](https://www.sentinelone.com/) solution provides ability to bring SentinelOne events to your Microsoft Sentinel Workspace to inform and to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r \n \r \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r \n \r \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
- "Data Connectors": [
- "Data Connectors/SentinelOne_API_FunctionApp.json"
- ],
- "Workbooks": [
- "Workbooks/SentinelOne.json"
- ],
- "Parsers": [
- "Parsers/SentinelOne.yaml"
+ "Name": "SentinelOne",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The [SentinelOne](https://www.sentinelone.com/) solution provides ability to bring SentinelOne events to your Microsoft Sentinel Workspace to inform and to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r \n \r \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r \n \r \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
+ "Data Connectors": [
+ "Data Connectors/SentinelOne_ccp/connectorDefinition.json"
],
- "Analytic Rules": [
- "Analytic Rules/SentinelOneAdminLoginNewIP.yaml",
- "Analytic Rules/SentinelOneAgentUninstalled.yaml",
- "Analytic Rules/SentinelOneAlertFromCustomRule.yaml",
- "Analytic Rules/SentinelOneBlacklistHashDeleted.yaml",
- "Analytic Rules/SentinelOneExclusionAdded.yaml",
- "Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml",
- "Analytic Rules/SentinelOneNewAdmin.yaml",
- "Analytic Rules/SentinelOneRuleDeleted.yaml",
- "Analytic Rules/SentinelOneRuleDisabled.yaml",
- "Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml",
- "Analytic Rules/SentinelOneViewAgentPassphrase.yaml"
- ],
- "Hunting Queries": [
- "Hunting Queries/SentinelOneAgentNotUpdated.yaml",
- "Hunting Queries/SentinelOneAgentStatus.yaml",
- "Hunting Queries/SentinelOneAlertTriggers.yaml",
- "Hunting Queries/SentinelOneHostNotScanned.yaml",
- "Hunting Queries/SentinelOneNewRules.yaml",
- "Hunting Queries/SentinelOneRulesDeleted.yaml",
- "Hunting Queries/SentinelOneScannedHosts.yaml",
- "Hunting Queries/SentinelOneSourcesByAlertCount.yaml",
- "Hunting Queries/SentinelOneUninstalledAgents.yaml",
- "Hunting Queries/SentinelOneUsersByAlertCount.yaml"
- ],
- "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\SentinelOne",
- "Version": "3.0.1",
- "Metadata": "SolutionMetadata.json",
- "TemplateSpec": true,
- "Is1PConnector": false
+ "Workbooks": [
+ "Workbooks/SentinelOne.json"
+ ],
+ "Parsers": [
+ "Parsers/SentinelOne.yaml"
+],
+ "Analytic Rules": [
+ "Analytic Rules/SentinelOneAdminLoginNewIP.yaml",
+ "Analytic Rules/SentinelOneAgentUninstalled.yaml",
+ "Analytic Rules/SentinelOneAlertFromCustomRule.yaml",
+ "Analytic Rules/SentinelOneBlacklistHashDeleted.yaml",
+ "Analytic Rules/SentinelOneExclusionAdded.yaml",
+ "Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml",
+ "Analytic Rules/SentinelOneNewAdmin.yaml",
+ "Analytic Rules/SentinelOneRuleDeleted.yaml",
+ "Analytic Rules/SentinelOneRuleDisabled.yaml",
+ "Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml",
+ "Analytic Rules/SentinelOneViewAgentPassphrase.yaml"
+ ],
+ "Hunting Queries": [
+ "Hunting Queries/SentinelOneAgentNotUpdated.yaml",
+ "Hunting Queries/SentinelOneAgentStatus.yaml",
+ "Hunting Queries/SentinelOneAlertTriggers.yaml",
+ "Hunting Queries/SentinelOneHostNotScanned.yaml",
+ "Hunting Queries/SentinelOneNewRules.yaml",
+ "Hunting Queries/SentinelOneRulesDeleted.yaml",
+ "Hunting Queries/SentinelOneScannedHosts.yaml",
+ "Hunting Queries/SentinelOneSourcesByAlertCount.yaml",
+ "Hunting Queries/SentinelOneUninstalledAgents.yaml",
+ "Hunting Queries/SentinelOneUsersByAlertCount.yaml"
+ ],
+ "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\SentinelOne",
+ "Version": "3.0.1",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
}
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Package/3.0.3.zip b/Solutions/SentinelOne/Package/3.0.3.zip
new file mode 100644
index 00000000000..0e90aaa68ad
Binary files /dev/null and b/Solutions/SentinelOne/Package/3.0.3.zip differ
diff --git a/Solutions/SentinelOne/Package/createUiDefinition.json b/Solutions/SentinelOne/Package/createUiDefinition.json
index 281471a9999..beccc3faaa5 100644
--- a/Solutions/SentinelOne/Package/createUiDefinition.json
+++ b/Solutions/SentinelOne/Package/createUiDefinition.json
@@ -60,14 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This Solution installs the data connector for SentinelOne. You can get SentinelOne custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+ "text": "This Solution installs the data connector for SentinelOne. You can get SentinelOne data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
diff --git a/Solutions/SentinelOne/Package/mainTemplate.json b/Solutions/SentinelOne/Package/mainTemplate.json
index ffc7099e8c7..824a5a5da0c 100644
--- a/Solutions/SentinelOne/Package/mainTemplate.json
+++ b/Solutions/SentinelOne/Package/mainTemplate.json
@@ -28,6 +28,20 @@
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
"workbook1-name": {
"type": "string",
"defaultValue": "SentinelOneWorkbook",
@@ -41,30 +55,27 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "SentinelOne",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-sentinelone",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "SentinelOne",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "SentinelOne",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "1.0.1",
+ "_dataConnectorContentIdConnectorDefinition1": "SentinelOne",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "SentinelOneConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "blanks": "[replace('b', 'b', '')]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "SentinelOneWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','SentinelOne')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SentinelOne')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('SentinelOne-Parser')))]",
- "parserVersion1": "1.0.0",
+ "parserVersion1": "1.0.1",
"parserContentId1": "SentinelOne-Parser"
},
"analyticRuleObject1": {
@@ -200,57 +211,108 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOne data connector with template version 3.0.2",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "displayName": "SentinelOne",
+ "contentKind": "DataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "kind": "Customizable",
"properties": {
"connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "SentinelOne (using Azure Functions)",
- "publisher": "SentinelOne",
- "descriptionMarkdown": "The [SentinelOne](https://www.sentinelone.com/) data connector provides the capability to ingest common SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. Refer to API documentation: `https://.sentinelone.net/api-doc/overview` for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
+ "id": "SentinelOne",
+ "title": "SentinelOne",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "The [SentinelOne](https://usea1-nessat.sentinelone.net/api-doc/overview) data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the SentinelOne API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.",
"graphQueries": [
{
- "metricName": "Total data received",
- "legend": "SentinelOne_CL",
- "baseQuery": "SentinelOne_CL"
+ "metricName": "Total activities logs received",
+ "legend": "SentinelOne Activities Logs",
+ "baseQuery": "SentinelOneActivities_CL"
+ },
+ {
+ "metricName": "Total agents logs received",
+ "legend": "SentinelOne Agents Logs",
+ "baseQuery": "SentinelOneAgents_CL"
+ },
+ {
+ "metricName": "Total groups logs received",
+ "legend": "SentinelOne Groups Logs",
+ "baseQuery": "SentinelOneGroups_CL"
+ },
+ {
+ "metricName": "Total threats logs received",
+ "legend": "SentinelOne Threats Logs",
+ "baseQuery": "SentinelOneThreats_CL"
+ },
+ {
+ "metricName": "Total alerts logs received",
+ "legend": "SentinelOne Alerts Logs",
+ "baseQuery": "SentinelOneAlerts_CL"
}
],
"sampleQueries": [
{
- "description": "SentinelOne Events - All Activities.",
- "query": "SentinelOne\n | sort by TimeGenerated desc"
+ "description": "Get Sample of SentinelOne activities logs",
+ "query": "SentinelOneActivities_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne groups logs",
+ "query": "SentinelOneGroups_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne threats logs",
+ "query": "SentinelOneThreats_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne agents logs",
+ "query": "SentinelOneAgents_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne alerts logs",
+ "query": "SentinelOneAlerts_CL| take 10"
}
],
"dataTypes": [
{
- "name": "SentinelOne_CL",
- "lastDataReceivedQuery": "SentinelOne_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "SentinelOneActivities_CL",
+ "lastDataReceivedQuery": "SentinelOneActivities_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneAgents_CL",
+ "lastDataReceivedQuery": "SentinelOneAgents_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneGroups_CL",
+ "lastDataReceivedQuery": "SentinelOneGroups_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneThreats_CL",
+ "lastDataReceivedQuery": "SentinelOneThreats_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneAlerts_CL",
+ "lastDataReceivedQuery": "SentinelOneAlerts_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
- "connectivityCriterias": [
+ "connectivityCriteria": [
{
- "type": "IsConnectedQuery",
- "value": [
- "SentinelOne_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
+ "type": "HasDataConnectors",
+ "value": null
}
],
"availability": {
@@ -258,109 +320,90 @@
"isPreview": false
},
"permissions": {
+ "tenant": null,
+ "licenses": null,
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
- "write": true,
"read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
+ "write": true,
+ "delete": true,
+ "action": false
}
}
- ],
- "customs": [
- {
- "name": "Microsoft.Web/sites permissions",
- "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
- },
- {
- "name": "REST API Credentials/permissions",
- "description": "**SentinelOneAPIToken** is required. See the documentation to learn more about API on the `https://.sentinelone.net/api-doc/overview`."
- }
]
},
"instructionSteps": [
{
- "description": ">**NOTE:** This connector uses Azure Functions to connect to the SentinelOne API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
- },
- {
- "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
- },
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Parsers/SentinelOne.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "**STEP 1 - Configuration steps for the SentinelOne API**\n\n Follow the instructions to obtain the credentials.\n\n1. Log in to the SentinelOne Management Console with Admin user credentials.\n2. In the Management Console, click **Settings**.\n3. In the **SETTINGS** view, click **USERS**\n4. Click **New User**.\n5. Enter the information for the new console user.\n5. In Role, select **Admin**.\n6. Click **SAVE**\n7. Save credentials of the new user for using in the data connector."
- },
- {
- "description": "**NOTE :-** Admin access can be delegated using custom roles. Please review SentinelOne [documentation](https://www.sentinelone.com/blog/feature-spotlight-fully-custom-role-based-access-control/) to learn more about custom RBAC."
- },
- {
- "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the SentinelOne data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### Configuration steps for the SentinelOne API \n Follow the instructions to obtain the credentials. You can also follow the [guide](https://usea1-nessat.sentinelone.net/docs/en/how-to-automate-api-token-generation.html#how-to-automate-api-token-generation) to generate API key."
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 1. Retrieve SentinelOne Management URL\n 1.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**] copy the URL link above without the URL path."
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Retrieve API Token\n 2.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**]\n 2.3. In [**Settings**] view click on [**USERS**].\n 2.4. In the [**USERS**] Page click on [**Service Users**] -> [**Actions**] -> [**Create new service user**].\n 2.5. Choose [**Expiration date**] and [**scope**] (by site) and click on [**Create User**].\n 2.6. Once the [**Service User**] is created copy the [**API Token**] from page and press [**Save**]"
+ }
+ },
+ {
+ "parameters": {
+ "label": "SentinelOne Management URL",
+ "placeholder": "https://example.sentinelone.net/",
+ "type": "text",
+ "name": "managementUrl"
+ },
+ "type": "Textbox"
+ },
{
"parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Workspace ID"
+ "label": "API Token",
+ "placeholder": "API Token",
+ "type": "password",
+ "name": "apitoken"
},
- "type": "CopyableLabel"
+ "type": "Textbox"
},
{
"parameters": {
- "fillWith": [
- "PrimaryKey"
- ],
- "label": "Primary Key"
+ "label": "toggle",
+ "name": "toggle"
},
- "type": "CopyableLabel"
+ "type": "ConnectionToggleButton"
}
- ]
- },
- {
- "description": "Use this method for automated deployment of the SentinelOne Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy) [](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **SentinelOneAPIToken**, **SentinelOneUrl** `(https://.sentinelone.net)` and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
- "title": "Option 1 - Azure Resource Manager (ARM) Template"
- },
- {
- "description": "Use the following step-by-step instructions to deploy the SentinelOne Reports data connector manually with Azure Functions (Deployment via Visual Studio Code).",
- "title": "Option 2 - Manual Deployment of Azure Functions"
- },
- {
- "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SentinelOneAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SOneXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
- },
- {
- "description": "**2. Configure the Function App**\n\n 1. In the Function App, select the Function App Name and select **Configuration**.\n\n 2. In the **Application settings** tab, select ** New application setting**.\n\n 3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\t SentinelOneAPIToken\n\t\t SentinelOneUrl\n\t\t WorkspaceID\n\t\t WorkspaceKey\n\t\t logAnalyticsUri (optional)\n\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n\n 4. Once all application settings have been entered, click **Save**."
+ ],
+ "innerSteps": null
}
- ]
+ ],
+ "isConnectivityCriteriasMatchSome": false
}
}
},
{
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "kind": "Solution",
- "name": "SentinelOne",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
"name": "Microsoft",
@@ -371,90 +414,1698 @@
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
}
}
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "SentinelOne (using Azure Functions)",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "SentinelOne",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "SentinelOne (using Azure Functions)",
- "publisher": "SentinelOne",
- "descriptionMarkdown": "The [SentinelOne](https://www.sentinelone.com/) data connector provides the capability to ingest common SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. Refer to API documentation: `https://.sentinelone.net/api-doc/overview` for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
- "graphQueries": [
+ },
+ {
+ "name": "SentinelOneActivitiesDCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-SentinelOneActivities_API": {
+ "columns": [
+ {
+ "name": "agentUpdatedVersion",
+ "type": "string",
+ "description": "The version of the agent that was updated."
+ },
+ {
+ "name": "userId",
+ "type": "string",
+ "description": "The unique identifier for the user."
+ },
+ {
+ "name": "threatId",
+ "type": "string",
+ "description": "The unique identifier for the threat."
+ },
+ {
+ "name": "primaryDescription",
+ "type": "string",
+ "description": "The primary description of the event."
+ },
+ {
+ "name": "secondaryDescription",
+ "type": "string",
+ "description": "The secondary description of the event."
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "The unique identifier for the record."
+ },
+ {
+ "name": "groupId",
+ "type": "string",
+ "description": "The unique identifier for the group."
+ },
+ {
+ "name": "createdAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was created."
+ },
+ {
+ "name": "accountName",
+ "type": "string",
+ "description": "The name of the account associated with the event."
+ },
+ {
+ "name": "data",
+ "type": "string",
+ "description": "Activity metadata."
+ },
+ {
+ "name": "agentId",
+ "type": "string",
+ "description": "The unique identifier for the agent."
+ },
+ {
+ "name": "hash",
+ "type": "string",
+ "description": "The hash associated with the event."
+ },
+ {
+ "name": "updatedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the record was last updated."
+ },
+ {
+ "name": "description",
+ "type": "string",
+ "description": "The description of the event."
+ },
+ {
+ "name": "activityUuid",
+ "type": "string",
+ "description": "The UUID of the activity associated with the event."
+ },
+ {
+ "name": "siteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "activityType",
+ "type": "real",
+ "description": "The type of activity represented by an integer."
+ },
+ {
+ "name": "siteName",
+ "type": "string",
+ "description": "The name of the site associated with the event."
+ },
+ {
+ "name": "accountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "osFamily",
+ "type": "string",
+ "description": "The operating system family, such as macOS."
+ },
+ {
+ "name": "groupName",
+ "type": "string",
+ "description": "The name of the group associated with the event."
+ },
+ {
+ "name": "comments",
+ "type": "string",
+ "description": "Any comments associated with the event."
+ }
+ ]
+ },
+ "Custom-SentinelOneAgents_API": {
+ "columns": [
+ {
+ "name": "uuid",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "mitigationMode",
+ "type": "string",
+ "description": "The mitigation mode applied."
+ },
+ {
+ "name": "networkStatus",
+ "type": "string",
+ "description": "The network status of the object."
+ },
+ {
+ "name": "installerType",
+ "type": "string",
+ "description": "The type of installer used."
+ },
+ {
+ "name": "mitigationModeSuspicious",
+ "type": "string",
+ "description": "The suspicious mitigation mode applied."
+ },
+ {
+ "name": "isPendingUninstall",
+ "type": "boolean",
+ "description": "Indicates whether the object is pending uninstallation."
+ },
+ {
+ "name": "inRemoteShellSession",
+ "type": "boolean",
+ "description": "Indicates whether the object is in a remote shell session."
+ },
+ {
+ "name": "lastLoggedInUserName",
+ "type": "string",
+ "description": "The username of the last logged-in user."
+ },
+ {
+ "name": "osRevision",
+ "type": "string",
+ "description": "The OS revision."
+ },
+ {
+ "name": "osArch",
+ "type": "string",
+ "description": "The OS architecture."
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "computerName",
+ "type": "string",
+ "description": "The name of the computer."
+ },
+ {
+ "name": "totalMemory",
+ "type": "real",
+ "description": "The total memory available in MB."
+ },
+ {
+ "name": "createdAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was created."
+ },
+ {
+ "name": "groupId",
+ "type": "string",
+ "description": "The unique identifier for the group."
+ },
+ {
+ "name": "lastActiveDate",
+ "type": "string",
+ "description": "The timestamp (UTC) when the object was last active."
+ },
+ {
+ "name": "fullDiskScanLastUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the full disk scan was last updated."
+ },
+ {
+ "name": "allowRemoteShell",
+ "type": "boolean",
+ "description": "Indicates whether remote shell is allowed."
+ },
+ {
+ "name": "rangerVersion",
+ "type": "string",
+ "description": "The version of the ranger."
+ },
+ {
+ "name": "accountName",
+ "type": "string",
+ "description": "The account name."
+ },
+ {
+ "name": "scanStatus",
+ "type": "string",
+ "description": "The scan status of the object."
+ },
+ {
+ "name": "domain",
+ "type": "string",
+ "description": "The domain of the object."
+ },
+ {
+ "name": "missingPermissions",
+ "type": "string",
+ "description": "Details of the missing permissions."
+ },
+ {
+ "name": "isActive",
+ "type": "boolean",
+ "description": "Indicates whether the object is active."
+ },
+ {
+ "name": "groupIp",
+ "type": "string",
+ "description": "The IP address of the group."
+ },
+ {
+ "name": "threatRebootRequired",
+ "type": "boolean",
+ "description": "Indicates whether a reboot is required due to a threat."
+ },
+ {
+ "name": "groupUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the group was last updated."
+ },
+ {
+ "name": "externalId",
+ "type": "string",
+ "description": "The external identifier associated with the object."
+ },
+ {
+ "name": "machineType",
+ "type": "string",
+ "description": "The type of machine."
+ },
+ {
+ "name": "registeredAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the object was registered."
+ },
+ {
+ "name": "appsVulnerabilityStatus",
+ "type": "string",
+ "description": "The vulnerability status of the applications."
+ },
+ {
+ "name": "coreCount",
+ "type": "real",
+ "description": "The number of CPU cores."
+ },
+ {
+ "name": "locations",
+ "type": "string",
+ "description": "The locations associated with the object."
+ },
+ {
+ "name": "scanFinishedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the scan was finished."
+ },
+ {
+ "name": "updatedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the object was last updated."
+ },
+ {
+ "name": "externalIp",
+ "type": "string",
+ "description": "The external IP address of the object."
+ },
+ {
+ "name": "locationType",
+ "type": "string",
+ "description": "The type of location."
+ },
+ {
+ "name": "policyUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the policy was last updated."
+ },
+ {
+ "name": "isDecommissioned",
+ "type": "boolean",
+ "description": "Indicates whether the object is decommissioned."
+ },
+ {
+ "name": "cpuId",
+ "type": "string",
+ "description": "The identifier of the CPU."
+ },
+ {
+ "name": "networkInterfaces",
+ "type": "string",
+ "description": "Details of the network interfaces."
+ },
+ {
+ "name": "isUninstalled",
+ "type": "boolean",
+ "description": "Indicates whether the object is uninstalled."
+ },
+ {
+ "name": "activeDirectory",
+ "type": "string",
+ "description": "Details about the active directory."
+ },
+ {
+ "name": "scanStartedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the scan was started."
+ },
+ {
+ "name": "rangerStatus",
+ "type": "string",
+ "description": "The status of the ranger."
+ },
+ {
+ "name": "siteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "agentVersion",
+ "type": "string",
+ "description": "The version of the agent."
+ },
+ {
+ "name": "osUsername",
+ "type": "string",
+ "description": "The username associated with the operating system."
+ },
+ {
+ "name": "encryptedApplications",
+ "type": "boolean",
+ "description": "Indicates whether the applications are encrypted."
+ },
+ {
+ "name": "lastIpToMgmt",
+ "type": "string",
+ "description": "The last IP address used for management."
+ },
+ {
+ "name": "cpuCount",
+ "type": "real",
+ "description": "The number of CPUs."
+ },
+ {
+ "name": "scanAbortedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the scan was aborted."
+ },
+ {
+ "name": "siteName",
+ "type": "string",
+ "description": "The name of the site."
+ },
+ {
+ "name": "activeThreats",
+ "type": "real",
+ "description": "The number of active threats."
+ },
+ {
+ "name": "infected",
+ "type": "boolean",
+ "description": "Indicates whether the object is infected."
+ },
+ {
+ "name": "consoleMigrationStatus",
+ "type": "string",
+ "description": "The status of the console migration."
+ },
+ {
+ "name": "osType",
+ "type": "string",
+ "description": "The type of operating system."
+ },
+ {
+ "name": "accountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "groupName",
+ "type": "string",
+ "description": "The name of the group."
+ },
+ {
+ "name": "osName",
+ "type": "string",
+ "description": "The name of the operating system."
+ },
+ {
+ "name": "isUpToDate",
+ "type": "boolean",
+ "description": "Indicates whether the object is up to date."
+ },
+ {
+ "name": "licenseKey",
+ "type": "string",
+ "description": "The license key associated with the object."
+ },
+ {
+ "name": "userActionsNeeded",
+ "type": "string",
+ "description": "Details of the user actions needed."
+ },
+ {
+ "name": "modelName",
+ "type": "string",
+ "description": "The model name of the object."
+ },
+ {
+ "name": "networkQuarantineEnabled",
+ "type": "boolean",
+ "description": "Is Network Quarantine Enabled on the device"
+ },
+ {
+ "name": "operationalStateExpiration",
+ "type": "string",
+ "description": "Agent operational state."
+ },
+ {
+ "name": "remoteProfilingState",
+ "type": "string",
+ "description": "Agent remote profiling state."
+ },
+ {
+ "name": "osStartTime",
+ "type": "string",
+ "description": "The Start time of the os."
+ }
+ ]
+ },
+ "Custom-SentinelOneAlerts_API": {
+ "columns": [
+ {
+ "name": "sourceProcessInfo",
+ "type": "string",
+ "description": "Information about the source process."
+ },
+ {
+ "name": "alertInfo",
+ "type": "string",
+ "description": "Details about the alert."
+ },
+ {
+ "name": "agentDetectionInfo",
+ "type": "string",
+ "description": "Detection information related to the agent."
+ },
+ {
+ "name": "ruleInfo",
+ "type": "string",
+ "description": "Information regarding the applied rule."
+ },
+ {
+ "name": "containerInfo",
+ "type": "string",
+ "description": "Information about the container."
+ },
+ {
+ "name": "sourceParentProcessInfo",
+ "type": "string",
+ "description": "Information about the parent process of the source."
+ },
+ {
+ "name": "targetProcessInfo",
+ "type": "string",
+ "description": "Details regarding the target process."
+ },
+ {
+ "name": "kubernetesInfo",
+ "type": "string",
+ "description": "Kubernetes-related information."
+ }
+ ]
+ },
+ "Custom-SentinelOneGroups_API": {
+ "columns": [
+ {
+ "name": "creator",
+ "type": "string",
+ "description": "The name of the creator."
+ },
+ {
+ "name": "registrationToken",
+ "type": "string",
+ "description": "The token used for registration."
+ },
+ {
+ "name": "isDefault",
+ "type": "boolean",
+ "description": "Indicates whether this is the default setting."
+ },
+ {
+ "name": "updatedAt",
+ "type": "string",
+ "description": "The timestamp (UTC) when the object was last updated."
+ },
+ {
+ "name": "totalAgents",
+ "type": "real",
+ "description": "The total number of agents."
+ },
+ {
+ "name": "inherits",
+ "type": "boolean",
+ "description": "Indicates whether the object inherits properties."
+ },
+ {
+ "name": "name",
+ "type": "string",
+ "description": "The name of the object."
+ },
+ {
+ "name": "rank",
+ "type": "real",
+ "description": "The rank of the object."
+ },
+ {
+ "name": "filterName",
+ "type": "string",
+ "description": "The name of the filter applied."
+ },
+ {
+ "name": "type",
+ "type": "string",
+ "description": "The type of the object."
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "createdAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was created."
+ },
+ {
+ "name": "creatorId",
+ "type": "string",
+ "description": "The unique identifier of the creator."
+ },
+ {
+ "name": "siteId",
+ "type": "string",
+ "description": "The unique identifier of the site."
+ },
+ {
+ "name": "filterId",
+ "type": "string",
+ "description": "The unique identifier of the filter."
+ }
+ ]
+ },
+ "Custom-SentinelOneThreats_API": {
+ "columns": [
+ {
+ "name": "threatInfo",
+ "type": "string",
+ "description": "The information regarding the threat."
+ },
+ {
+ "name": "agentDetectionInfo",
+ "type": "string",
+ "description": "The information of the agent on detectino."
+ },
+ {
+ "name": "agentRealtimeInfo",
+ "type": "string",
+ "description": "The information of the agent in real time."
+ },
+ {
+ "name": "indicators",
+ "type": "string",
+ "description": "Details of the indicators."
+ },
+ {
+ "name": "whiteningOptions",
+ "type": "string",
+ "description": "Details of the whitening options."
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "Event Id."
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-SentinelOneActivities_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = createdAt, AgentUpdatedVersion = agentUpdatedVersion, UserId = userId, ThreatId = threatId, PrimaryDescription = primaryDescription, SecondaryDescription = secondaryDescription, Id = id, GroupId = groupId, CreatedAt = createdAt, AccountName = accountName, Data = data, AgentId = agentId, Hash = hash, UpdatedAt = todatetime(updatedAt), Description = description, ActivityUuid = activityUuid, SiteId = siteId, ActivityType = activityType, SiteName = siteName, AccountId = accountId, OsFamily = osFamily, GroupName = groupName, Comments = comments",
+ "outputStream": "Custom-SentinelOneActivities_CL"
+ },
+ {
+ "streams": [
+ "Custom-SentinelOneAgents_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = createdAt, Uuid = uuid, MitigationMode = mitigationMode, NetworkStatus = networkStatus, InstallerType = installerType, MitigationModeSuspicious = mitigationModeSuspicious, IsPendingUninstall = isPendingUninstall, InRemoteShellSession = inRemoteShellSession, LastLoggedInUserName = lastLoggedInUserName, OsRevision = osRevision, OsArch = osArch, Id = id, ComputerName = computerName, TotalMemory = totalMemory, CreatedAt = createdAt, GroupId = groupId, LastActiveDate = todatetime(lastActiveDate), FullDiskScanLastUpdatedAt = fullDiskScanLastUpdatedAt, AllowRemoteShell = allowRemoteShell, RangerVersion = rangerVersion, AccountName = accountName, ScanStatus = scanStatus, Domain = domain, MissingPermissions = missingPermissions, IsActive = isActive, GroupIp = groupIp, ThreatRebootRequired = threatRebootRequired, GroupUpdatedAt = groupUpdatedAt, ExternalId = externalId, MachineType = machineType, RegisteredAt = todatetime(registeredAt), AppsVulnerabilityStatus = appsVulnerabilityStatus, CoreCount = coreCount, Locations = locations, ScanFinishedAt = todatetime(scanFinishedAt), UpdatedAt = todatetime(updatedAt), ExternalIp = externalIp, LocationType = locationType, PolicyUpdatedAt = policyUpdatedAt, IsDecommissioned = isDecommissioned, CpuId = cpuId, NetworkInterfaces = networkInterfaces, IsUninstalled = isUninstalled, ActiveDirectory = activeDirectory, ScanStartedAt = todatetime(scanStartedAt), RangerStatus = rangerStatus, SiteId = siteId, AgentVersion = agentVersion, OsUsername = osUsername, EncryptedApplications = encryptedApplications, LastIpToMgmt = lastIpToMgmt, CpuCount = cpuCount, ScanAbortedAt = scanAbortedAt, SiteName = siteName, ActiveThreats = activeThreats, Infected = infected, ConsoleMigrationStatus = consoleMigrationStatus, OsType = osType, AccountId = accountId, GroupName = groupName, OsName = osName, IsUpToDate = isUpToDate, LicenseKey = licenseKey, UserActionsNeeded = userActionsNeeded, ModelName = modelName, OsStartTime = todatetime(osStartTime), NetworkQuarantineEnabled=networkQuarantineEnabled,OperationalStateExpiration=operationalStateExpiration,RemoteProfilingState=remoteProfilingState",
+ "outputStream": "Custom-SentinelOneAgents_CL"
+ },
+ {
+ "streams": [
+ "Custom-SentinelOneAlerts_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = todatetime(parse_json(todynamic(alertInfo)).createdAt), SourceProcessInfo = sourceProcessInfo, AlertInfo = alertInfo, AgentDetectionInfo = agentDetectionInfo, RuleInfo = ruleInfo, ContainerInfo = containerInfo, SourceParentProcessInfo = sourceParentProcessInfo, TargetProcessInfo = targetProcessInfo, KubernetesInfo = kubernetesInfo",
+ "outputStream": "Custom-SentinelOneAlerts_CL"
+ },
+ {
+ "streams": [
+ "Custom-SentinelOneGroups_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | project TimeGenerated = createdAt, Creator = creator, RegistrationToken = registrationToken, IsDefault = tostring(isDefault), UpdatedAt = todatetime(updatedAt), TotalAgents = tostring(totalAgents), Inherits = tostring(inherits), Name = name, Rank = rank, FilterName = filterName, GroupType = type, Id = id, CreatedAt = createdAt, CreatorId = creatorId, SiteId = siteId, FilterId = filterId",
+ "outputStream": "Custom-SentinelOneGroups_CL"
+ },
+ {
+ "streams": [
+ "Custom-SentinelOneThreats_API"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | extend ThreatInfo = parse_json(todynamic(threatInfo)), AgentDetectionInfo=parse_json(todynamic(agentDetectionInfo)), AgentRealtimeInfo=parse_json(todynamic(agentRealtimeInfo)) | project TimeGenerated = todatetime(ThreatInfo.createdAt), FilePath = tostring(ThreatInfo.filePath), CloudVerdict = tostring(ThreatInfo.cloudVerdict), MitigationMode = tostring(AgentDetectionInfo.mitigationMode), AgentOsType = tostring(AgentRealtimeInfo.agentOsType), AgentInfected = tobool(AgentRealtimeInfo.agentInfected), InitiatingUserId = tostring(ThreatInfo.initiatingUserId), Engines = tostring(ThreatInfo.engines), Id = id, FileExtensionType = tostring(ThreatInfo.fileExtensionType), MitigationStatus = tostring(ThreatInfo.mitigationStatus), AgentDomain = tostring(AgentDetectionInfo.agentDomain), CreatedAt = todatetime(ThreatInfo.createdAt), IsCertValid = tobool(ThreatInfo.isValidCertificate), FileDisplayName = tostring(ThreatInfo.filePath), AgentIp = tostring(AgentDetectionInfo.agentIpV4), AccountName = tostring(AgentRealtimeInfo.accountName), AgentMachineType = tostring(AgentRealtimeInfo.agentMachineType), FileVerificationType = tostring(ThreatInfo.fileVerificationType), Indicators = indicators, InitiatedByDescription = tostring(ThreatInfo.initiatedByDescription), AutomaticallyResolved = tobool(ThreatInfo.automaticallyResolved), AgentId = tostring(AgentRealtimeInfo.agentId), ProcessArguments = tostring(ThreatInfo.maliciousProcessArguments), MitigationReport = tostring(AgentDetectionInfo.mitigationReport), ThreatName = tostring(ThreatInfo.threatName), ClassificationSource = tostring(ThreatInfo.classificationSource), UpdatedAt = todatetime(ThreatInfo.updatedAt), InitiatedBy = tostring(ThreatInfo.initiatedBy), AgentNetworkStatus = tostring(AgentRealtimeInfo.agentNetworkStatus), AgentComputerName = tostring(AgentRealtimeInfo.agentComputerName), Classification = tostring(ThreatInfo.classification), CertId = tostring(ThreatInfo.certificateId), AgentIsActive = tobool(AgentRealtimeInfo.agentIsActive), SiteId = tostring(AgentDetectionInfo.siteId), AgentVersion = tostring(AgentDetectionInfo.agentVersion), FileContentHash = tostring(ThreatInfo.md5), WhiteningOptions = whiteningOptions,FileSha256 = tostring(ThreatInfo.sha256), Username = tostring(ThreatInfo.initiatingUsername), AgentIsDecommissioned = tobool(AgentDetectionInfo.agentIsDecommissioned), CollectionId = tostring(ThreatInfo.collectionId), SiteName = tostring(AgentDetectionInfo.siteName), AccountId = tostring(AgentDetectionInfo.accountId), ThreatInfo, AgentDetectionInfo, AgentRealtimeInfo",
+ "outputStream": "Custom-SentinelOneThreats_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+ }
+ },
+ {
+ "name": "SentinelOneThreats_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "SentinelOneThreats_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "FilePath",
+ "type": "string",
+ "description": "The path of the file."
+ },
+ {
+ "name": "CloudVerdict",
+ "type": "string",
+ "description": "The cloud verdict for the file."
+ },
+ {
+ "name": "MitigationMode",
+ "type": "string",
+ "description": "The mode of mitigation applied."
+ },
+ {
+ "name": "AgentOsType",
+ "type": "string",
+ "description": "The operating system type of the agent."
+ },
+ {
+ "name": "AgentInfected",
+ "type": "boolean",
+ "description": "Indicates whether the agent is infected."
+ },
+ {
+ "name": "InitiatingUserId",
+ "type": "string",
+ "description": "The unique identifier for the initiating user."
+ },
+ {
+ "name": "Engines",
+ "type": "string",
+ "description": "Details of the engines used."
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "The unique identifier for the record."
+ },
+ {
+ "name": "FileExtensionType",
+ "type": "string",
+ "description": "The type of file extension."
+ },
+ {
+ "name": "MitigationStatus",
+ "type": "string",
+ "description": "The status of mitigation."
+ },
+ {
+ "name": "AgentDomain",
+ "type": "string",
+ "description": "The domain of the agent."
+ },
+ {
+ "name": "CreatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was created."
+ },
+ {
+ "name": "IsCertValid",
+ "type": "boolean",
+ "description": "Indicates whether the certificate is valid."
+ },
+ {
+ "name": "FileDisplayName",
+ "type": "string",
+ "description": "The display name of the file."
+ },
+ {
+ "name": "AgentIp",
+ "type": "string",
+ "description": "The IP address of the agent."
+ },
+ {
+ "name": "AccountName",
+ "type": "string",
+ "description": "The name of the account associated with the event."
+ },
+ {
+ "name": "AgentMachineType",
+ "type": "string",
+ "description": "The machine type of the agent."
+ },
+ {
+ "name": "FileVerificationType",
+ "type": "string",
+ "description": "The type of file verification."
+ },
+ {
+ "name": "Indicators",
+ "type": "string",
+ "description": "Details of the indicators."
+ },
+ {
+ "name": "InitiatedByDescription",
+ "type": "string",
+ "description": "Description of the initiated by field."
+ },
+ {
+ "name": "AutomaticallyResolved",
+ "type": "boolean",
+ "description": "Indicates whether the issue was automatically resolved."
+ },
+ {
+ "name": "AgentId",
+ "type": "string",
+ "description": "The unique identifier for the agent."
+ },
+ {
+ "name": "ProcessArguments",
+ "type": "string",
+ "description": "The unique identifier for the malicious group."
+ },
+ {
+ "name": "MitigationReport",
+ "type": "string",
+ "description": "Report of the actions taken by the Agent."
+ },
+ {
+ "name": "ThreatName",
+ "type": "string",
+ "description": "Details about the threat name."
+ },
+ {
+ "name": "ClassificationSource",
+ "type": "string",
+ "description": "The source of the classification."
+ },
+ {
+ "name": "UpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was last updated."
+ },
+ {
+ "name": "InitiatedBy",
+ "type": "string",
+ "description": "Indicates by whom or what the action was initiated."
+ },
+ {
+ "name": "AgentNetworkStatus",
+ "type": "string",
+ "description": "The network status of the agent."
+ },
+ {
+ "name": "AgentComputerName",
+ "type": "string",
+ "description": "The computer name of the agent."
+ },
+ {
+ "name": "Classification",
+ "type": "string",
+ "description": "The classification of the event."
+ },
+ {
+ "name": "CertId",
+ "type": "string",
+ "description": "The certificate ID."
+ },
+ {
+ "name": "AgentIsActive",
+ "type": "boolean",
+ "description": "Indicates whether the agent is active."
+ },
+ {
+ "name": "SiteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "AgentVersion",
+ "type": "string",
+ "description": "The version of the agent."
+ },
+ {
+ "name": "FileContentHash",
+ "type": "string",
+ "description": "The hash of the file content."
+ },
+ {
+ "name": "WhiteningOptions",
+ "type": "string",
+ "description": "Details of the whitening options."
+ },
+ {
+ "name": "Username",
+ "type": "string",
+ "description": "The username associated with the event."
+ },
+ {
+ "name": "FileSha256",
+ "type": "string",
+ "description": "The SHA-256 hash of the file."
+ },
+ {
+ "name": "AgentIsDecommissioned",
+ "type": "boolean",
+ "description": "Indicates whether the agent is decommissioned."
+ },
+ {
+ "name": "CollectionId",
+ "type": "string",
+ "description": "The unique identifier for the collection."
+ },
+ {
+ "name": "SiteName",
+ "type": "string",
+ "description": "The name of the site."
+ },
+ {
+ "name": "AccountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "ThreatInfo",
+ "type": "dynamic",
+ "description": "The information about the threat."
+ },
+ {
+ "name": "AgentDetectionInfo",
+ "type": "dynamic",
+ "description": "The information of the agent in detection."
+ },
+ {
+ "name": "AgentRealtimeInfo",
+ "type": "dynamic",
+ "description": "The information of the agent in realtime."
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "SentinelOneActivities_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "SentinelOneActivities_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "AgentUpdatedVersion",
+ "type": "string",
+ "description": "The version of the agent that was updated."
+ },
+ {
+ "name": "UserId",
+ "type": "string",
+ "description": "The unique identifier for the user."
+ },
+ {
+ "name": "ThreatId",
+ "type": "string",
+ "description": "The unique identifier for the threat."
+ },
+ {
+ "name": "PrimaryDescription",
+ "type": "string",
+ "description": "The primary description of the event."
+ },
+ {
+ "name": "SecondaryDescription",
+ "type": "string",
+ "description": "The secondary description of the event."
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "The unique identifier for the record."
+ },
+ {
+ "name": "GroupId",
+ "type": "string",
+ "description": "The unique identifier for the group."
+ },
+ {
+ "name": "CreatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was created."
+ },
+ {
+ "name": "AccountName",
+ "type": "string",
+ "description": "The name of the account associated with the event."
+ },
+ {
+ "name": "Data",
+ "type": "string",
+ "description": "Activity metadata."
+ },
+ {
+ "name": "AgentId",
+ "type": "string",
+ "description": "The unique identifier for the agent."
+ },
+ {
+ "name": "Hash",
+ "type": "string",
+ "description": "The hash associated with the event."
+ },
+ {
+ "name": "UpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the record was last updated."
+ },
+ {
+ "name": "Description",
+ "type": "string",
+ "description": "The description of the event."
+ },
+ {
+ "name": "ActivityUuid",
+ "type": "string",
+ "description": "The UUID of the activity associated with the event."
+ },
+ {
+ "name": "SiteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "ActivityType",
+ "type": "real",
+ "description": "The type of activity represented by an integer."
+ },
+ {
+ "name": "SiteName",
+ "type": "string",
+ "description": "The name of the site associated with the event."
+ },
+ {
+ "name": "AccountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "OsFamily",
+ "type": "string",
+ "description": "The operating system family, such as macOS."
+ },
+ {
+ "name": "GroupName",
+ "type": "string",
+ "description": "The name of the group associated with the event."
+ },
+ {
+ "name": "Comments",
+ "type": "string",
+ "description": "Any comments associated with the event."
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "SentinelOneAgents_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "SentinelOneAgents_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "Uuid",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "MitigationMode",
+ "type": "string",
+ "description": "The mitigation mode applied."
+ },
+ {
+ "name": "NetworkStatus",
+ "type": "string",
+ "description": "The network status of the object."
+ },
+ {
+ "name": "InstallerType",
+ "type": "string",
+ "description": "The type of installer used."
+ },
+ {
+ "name": "MitigationModeSuspicious",
+ "type": "string",
+ "description": "The suspicious mitigation mode applied."
+ },
+ {
+ "name": "IsPendingUninstall",
+ "type": "boolean",
+ "description": "Indicates whether the object is pending uninstallation."
+ },
+ {
+ "name": "InRemoteShellSession",
+ "type": "boolean",
+ "description": "Indicates whether the object is in a remote shell session."
+ },
+ {
+ "name": "LastLoggedInUserName",
+ "type": "string",
+ "description": "The username of the last logged-in user."
+ },
+ {
+ "name": "OsRevision",
+ "type": "string",
+ "description": "The OS revision."
+ },
+ {
+ "name": "OsArch",
+ "type": "string",
+ "description": "The OS architecture."
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "ComputerName",
+ "type": "string",
+ "description": "The name of the computer."
+ },
+ {
+ "name": "TotalMemory",
+ "type": "real",
+ "description": "The total memory available in MB."
+ },
+ {
+ "name": "CreatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was created."
+ },
+ {
+ "name": "GroupId",
+ "type": "string",
+ "description": "The unique identifier for the group."
+ },
+ {
+ "name": "LastActiveDate",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was last active."
+ },
+ {
+ "name": "FullDiskScanLastUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the full disk scan was last updated."
+ },
+ {
+ "name": "AllowRemoteShell",
+ "type": "boolean",
+ "description": "Indicates whether remote shell is allowed."
+ },
+ {
+ "name": "RangerVersion",
+ "type": "string",
+ "description": "The version of the ranger."
+ },
+ {
+ "name": "AccountName",
+ "type": "string",
+ "description": "The account name."
+ },
+ {
+ "name": "ScanStatus",
+ "type": "string",
+ "description": "The scan status of the object."
+ },
+ {
+ "name": "Domain",
+ "type": "string",
+ "description": "The domain of the object."
+ },
+ {
+ "name": "MissingPermissions",
+ "type": "string",
+ "description": "Details of the missing permissions."
+ },
+ {
+ "name": "IsActive",
+ "type": "boolean",
+ "description": "Indicates whether the object is active."
+ },
+ {
+ "name": "GroupIp",
+ "type": "string",
+ "description": "The IP address of the group."
+ },
+ {
+ "name": "ThreatRebootRequired",
+ "type": "boolean",
+ "description": "Indicates whether a reboot is required due to a threat."
+ },
+ {
+ "name": "GroupUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the group was last updated."
+ },
+ {
+ "name": "ExternalId",
+ "type": "string",
+ "description": "The external identifier associated with the object."
+ },
+ {
+ "name": "MachineType",
+ "type": "string",
+ "description": "The type of machine."
+ },
+ {
+ "name": "RegisteredAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was registered."
+ },
+ {
+ "name": "AppsVulnerabilityStatus",
+ "type": "string",
+ "description": "The vulnerability status of the applications."
+ },
+ {
+ "name": "CoreCount",
+ "type": "real",
+ "description": "The number of CPU cores."
+ },
+ {
+ "name": "Locations",
+ "type": "string",
+ "description": "The locations associated with the object."
+ },
+ {
+ "name": "ScanFinishedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the scan was finished."
+ },
+ {
+ "name": "UpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was last updated."
+ },
+ {
+ "name": "ExternalIp",
+ "type": "string",
+ "description": "The external IP address of the object."
+ },
+ {
+ "name": "LocationType",
+ "type": "string",
+ "description": "The type of location."
+ },
+ {
+ "name": "PolicyUpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the policy was last updated."
+ },
+ {
+ "name": "IsDecommissioned",
+ "type": "boolean",
+ "description": "Indicates whether the object is decommissioned."
+ },
+ {
+ "name": "CpuId",
+ "type": "string",
+ "description": "The identifier of the CPU."
+ },
+ {
+ "name": "NetworkInterfaces",
+ "type": "string",
+ "description": "Details of the network interfaces."
+ },
+ {
+ "name": "IsUninstalled",
+ "type": "boolean",
+ "description": "Indicates whether the object is uninstalled."
+ },
+ {
+ "name": "ActiveDirectory",
+ "type": "string",
+ "description": "Details about the active directory."
+ },
+ {
+ "name": "ScanStartedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the scan was started."
+ },
+ {
+ "name": "RangerStatus",
+ "type": "string",
+ "description": "The status of the ranger."
+ },
+ {
+ "name": "SiteId",
+ "type": "string",
+ "description": "The unique identifier for the site."
+ },
+ {
+ "name": "AgentVersion",
+ "type": "string",
+ "description": "The version of the agent."
+ },
+ {
+ "name": "OsUsername",
+ "type": "string",
+ "description": "The username associated with the operating system."
+ },
+ {
+ "name": "EncryptedApplications",
+ "type": "boolean",
+ "description": "Indicates whether the applications are encrypted."
+ },
+ {
+ "name": "LastIpToMgmt",
+ "type": "string",
+ "description": "The last IP address used for management."
+ },
+ {
+ "name": "CpuCount",
+ "type": "real",
+ "description": "The number of CPUs."
+ },
+ {
+ "name": "ScanAbortedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the scan was aborted."
+ },
+ {
+ "name": "SiteName",
+ "type": "string",
+ "description": "The name of the site."
+ },
+ {
+ "name": "ActiveThreats",
+ "type": "real",
+ "description": "The number of active threats."
+ },
+ {
+ "name": "Infected",
+ "type": "boolean",
+ "description": "Indicates whether the object is infected."
+ },
+ {
+ "name": "ConsoleMigrationStatus",
+ "type": "string",
+ "description": "The status of the console migration."
+ },
+ {
+ "name": "OsType",
+ "type": "string",
+ "description": "The type of operating system."
+ },
+ {
+ "name": "AccountId",
+ "type": "string",
+ "description": "The unique identifier for the account."
+ },
+ {
+ "name": "GroupName",
+ "type": "string",
+ "description": "The name of the group."
+ },
+ {
+ "name": "OsName",
+ "type": "string",
+ "description": "The name of the operating system."
+ },
+ {
+ "name": "IsUpToDate",
+ "type": "boolean",
+ "description": "Indicates whether the object is up to date."
+ },
+ {
+ "name": "LicenseKey",
+ "type": "string",
+ "description": "The license key associated with the object."
+ },
+ {
+ "name": "UserActionsNeeded",
+ "type": "string",
+ "description": "Details of the user actions needed."
+ },
+ {
+ "name": "ModelName",
+ "type": "string",
+ "description": "The model name of the object."
+ },
+ {
+ "name": "OsStartTime",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the operating system started."
+ },
+ {
+ "name": "NetworkQuarantineEnabled",
+ "type": "boolean",
+ "description": "Is Network Quarantine Enabled on the device."
+ },
+ {
+ "name": "OperationalStateExpiration",
+ "type": "string",
+ "description": "Agent operational state."
+ },
+ {
+ "name": "RemoteProfilingState",
+ "type": "string",
+ "description": "Agent remote profiling state."
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "SentinelOneAlerts_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "SentinelOneAlerts_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "SourceProcessInfo",
+ "type": "string",
+ "description": "Information about the source process."
+ },
+ {
+ "name": "AlertInfo",
+ "type": "string",
+ "description": "Details about the alert."
+ },
+ {
+ "name": "AgentDetectionInfo",
+ "type": "string",
+ "description": "Detection information related to the agent."
+ },
+ {
+ "name": "RuleInfo",
+ "type": "string",
+ "description": "Information regarding the applied rule."
+ },
+ {
+ "name": "ContainerInfo",
+ "type": "string",
+ "description": "Information about the container."
+ },
+ {
+ "name": "SourceParentProcessInfo",
+ "type": "string",
+ "description": "Information about the parent process of the source."
+ },
+ {
+ "name": "TargetProcessInfo",
+ "type": "string",
+ "description": "Details regarding the target process."
+ },
+ {
+ "name": "KubernetesInfo",
+ "type": "string",
+ "description": "Kubernetes-related information."
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "SentinelOneGroups_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "SentinelOneGroups_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true,
+ "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+ },
+ {
+ "name": "Creator",
+ "type": "string",
+ "description": "The name of the creator."
+ },
+ {
+ "name": "RegistrationToken",
+ "type": "string",
+ "description": "The token used for registration."
+ },
+ {
+ "name": "IsDefault",
+ "type": "string",
+ "description": "Indicates whether this is the default setting."
+ },
+ {
+ "name": "UpdatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was last updated."
+ },
+ {
+ "name": "TotalAgents",
+ "type": "string",
+ "description": "The total number of agents."
+ },
+ {
+ "name": "Inherits",
+ "type": "string",
+ "description": "Indicates whether the object inherits properties."
+ },
+ {
+ "name": "Name",
+ "type": "string",
+ "description": "The name of the object."
+ },
+ {
+ "name": "Rank",
+ "type": "real",
+ "description": "The rank of the object."
+ },
+ {
+ "name": "FilterName",
+ "type": "string",
+ "description": "The name of the filter applied."
+ },
+ {
+ "name": "GroupType",
+ "type": "string",
+ "description": "The type of the object."
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "The unique identifier for the object."
+ },
+ {
+ "name": "CreatedAt",
+ "type": "datetime",
+ "description": "The timestamp (UTC) when the object was created."
+ },
+ {
+ "name": "CreatorId",
+ "type": "string",
+ "description": "The unique identifier of the creator."
+ },
+ {
+ "name": "SiteId",
+ "type": "string",
+ "description": "The unique identifier of the site."
+ },
+ {
+ "name": "FilterId",
+ "type": "string",
+ "description": "The unique identifier of the filter."
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "SentinelOne",
+ "title": "SentinelOne",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "The [SentinelOne](https://usea1-nessat.sentinelone.net/api-doc/overview) data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the SentinelOne API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.",
+ "graphQueries": [
+ {
+ "metricName": "Total activities logs received",
+ "legend": "SentinelOne Activities Logs",
+ "baseQuery": "SentinelOneActivities_CL"
+ },
+ {
+ "metricName": "Total agents logs received",
+ "legend": "SentinelOne Agents Logs",
+ "baseQuery": "SentinelOneAgents_CL"
+ },
+ {
+ "metricName": "Total groups logs received",
+ "legend": "SentinelOne Groups Logs",
+ "baseQuery": "SentinelOneGroups_CL"
+ },
+ {
+ "metricName": "Total threats logs received",
+ "legend": "SentinelOne Threats Logs",
+ "baseQuery": "SentinelOneThreats_CL"
+ },
{
- "metricName": "Total data received",
- "legend": "SentinelOne_CL",
- "baseQuery": "SentinelOne_CL"
+ "metricName": "Total alerts logs received",
+ "legend": "SentinelOne Alerts Logs",
+ "baseQuery": "SentinelOneAlerts_CL"
}
],
- "dataTypes": [
+ "sampleQueries": [
+ {
+ "description": "Get Sample of SentinelOne activities logs",
+ "query": "SentinelOneActivities_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne groups logs",
+ "query": "SentinelOneGroups_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne threats logs",
+ "query": "SentinelOneThreats_CL| take 10"
+ },
+ {
+ "description": "Get Sample of SentinelOne agents logs",
+ "query": "SentinelOneAgents_CL| take 10"
+ },
{
- "name": "SentinelOne_CL",
- "lastDataReceivedQuery": "SentinelOne_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "description": "Get Sample of SentinelOne alerts logs",
+ "query": "SentinelOneAlerts_CL| take 10"
}
],
- "connectivityCriterias": [
+ "dataTypes": [
+ {
+ "name": "SentinelOneActivities_CL",
+ "lastDataReceivedQuery": "SentinelOneActivities_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneAgents_CL",
+ "lastDataReceivedQuery": "SentinelOneAgents_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneGroups_CL",
+ "lastDataReceivedQuery": "SentinelOneGroups_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
{
- "type": "IsConnectedQuery",
- "value": [
- "SentinelOne_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
+ "name": "SentinelOneThreats_CL",
+ "lastDataReceivedQuery": "SentinelOneThreats_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "SentinelOneAlerts_CL",
+ "lastDataReceivedQuery": "SentinelOneAlerts_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
- "sampleQueries": [
+ "connectivityCriteria": [
{
- "description": "SentinelOne Events - All Activities.",
- "query": "SentinelOne\n | sort by TimeGenerated desc"
+ "type": "HasDataConnectors",
+ "value": null
}
],
"availability": {
@@ -462,96 +2113,551 @@
"isPreview": false
},
"permissions": {
+ "tenant": null,
+ "licenses": null,
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
- "write": true,
"read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
+ "write": true,
+ "delete": true,
+ "action": false
}
}
- ],
- "customs": [
- {
- "name": "Microsoft.Web/sites permissions",
- "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
- },
- {
- "name": "REST API Credentials/permissions",
- "description": "**SentinelOneAPIToken** is required. See the documentation to learn more about API on the `https://.sentinelone.net/api-doc/overview`."
- }
]
},
"instructionSteps": [
{
- "description": ">**NOTE:** This connector uses Azure Functions to connect to the SentinelOne API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
- },
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### Configuration steps for the SentinelOne API \n Follow the instructions to obtain the credentials. You can also follow the [guide](https://usea1-nessat.sentinelone.net/docs/en/how-to-automate-api-token-generation.html#how-to-automate-api-token-generation) to generate API key."
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 1. Retrieve SentinelOne Management URL\n 1.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**] copy the URL link above without the URL path."
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Retrieve API Token\n 2.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**]\n 2.3. In [**Settings**] view click on [**USERS**].\n 2.4. In the [**USERS**] Page click on [**Service Users**] -> [**Actions**] -> [**Create new service user**].\n 2.5. Choose [**Expiration date**] and [**scope**] (by site) and click on [**Create User**].\n 2.6. Once the [**Service User**] is created copy the [**API Token**] from page and press [**Save**]"
+ }
+ },
+ {
+ "parameters": {
+ "label": "SentinelOne Management URL",
+ "placeholder": "https://example.sentinelone.net/",
+ "type": "text",
+ "name": "managementUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "label": "API Token",
+ "placeholder": "API Token",
+ "type": "password",
+ "name": "apitoken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "label": "toggle",
+ "name": "toggle"
+ },
+ "type": "ConnectionToggleButton"
+ }
+ ],
+ "innerSteps": null
+ }
+ ],
+ "isConnectivityCriteriasMatchSome": false
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "criteria": [
{
- "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "SentinelOne",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "connectorDefinitionName": {
+ "defaultValue": "SentinelOne",
+ "type": "string",
+ "minLength": 1
},
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Parsers/SentinelOne.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
},
+ "managementUrl": {
+ "defaultValue": "managementUrl",
+ "type": "string",
+ "minLength": 1
+ },
+ "apitoken": {
+ "defaultValue": "apitoken",
+ "type": "string",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
+ },
+ "resources": [
{
- "description": "**STEP 1 - Configuration steps for the SentinelOne API**\n\n Follow the instructions to obtain the credentials.\n\n1. Log in to the SentinelOne Management Console with Admin user credentials.\n2. In the Management Console, click **Settings**.\n3. In the **SETTINGS** view, click **USERS**\n4. Click **New User**.\n5. Enter the information for the new console user.\n5. In Role, select **Admin**.\n6. Click **SAVE**\n7. Save credentials of the new user for using in the data connector."
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
},
{
- "description": "**NOTE :-** Admin access can be delegated using custom roles. Please review SentinelOne [documentation](https://www.sentinelone.com/blog/feature-spotlight-fully-custom-role-based-access-control/) to learn more about custom RBAC."
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_activities_created_events')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneActivities_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'activities')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "createdAt__gt": "{_QueryWindowStartTime}",
+ "createdAt__lt": "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "1000",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ]
+ }
+ }
},
{
- "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the SentinelOne data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Workspace ID"
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_agents_created_events')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneAgents_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'agents')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "createdAt__gt": "{_QueryWindowStartTime}",
+ "createdAt__lt": "{_QueryWindowEndTime}"
},
- "type": "CopyableLabel"
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
},
- {
- "parameters": {
- "fillWith": [
- "PrimaryKey"
- ],
- "label": "Primary Key"
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "1000",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_agents_updated_events')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneAgents_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'agents')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "updatedAt__gt": "{_QueryWindowStartTime}",
+ "updatedAt__lt": "{_QueryWindowEndTime}"
},
- "type": "CopyableLabel"
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "200",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ]
}
- ]
+ }
},
{
- "description": "Use this method for automated deployment of the SentinelOne Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy) [](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **SentinelOneAPIToken**, **SentinelOneUrl** `(https://.sentinelone.net)` and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
- "title": "Option 1 - Azure Resource Manager (ARM) Template"
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_alerts_created_events')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneAlerts_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'cloud-detection/alerts')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "createdAt__gt": "{_QueryWindowStartTime}",
+ "createdAt__lt": "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "1000",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ]
+ }
+ }
},
{
- "description": "Use the following step-by-step instructions to deploy the SentinelOne Reports data connector manually with Azure Functions (Deployment via Visual Studio Code).",
- "title": "Option 2 - Manual Deployment of Azure Functions"
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_groups_updated_events')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneGroups_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'groups')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "updatedAt__gt": "{_QueryWindowStartTime}",
+ "updatedAt__lt": "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "200",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ]
+ }
+ }
},
{
- "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SentinelOneAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SOneXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_threats_created_events')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneThreats_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'threats')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "createdAt__gt": "{_QueryWindowStartTime}",
+ "createdAt__lt": "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "1000",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ]
+ }
+ }
},
{
- "description": "**2. Configure the Function App**\n\n 1. In the Function App, select the Function App Name and select **Configuration**.\n\n 2. In the **Application settings** tab, select ** New application setting**.\n\n 3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\t SentinelOneAPIToken\n\t\t SentinelOneUrl\n\t\t WorkspaceID\n\t\t WorkspaceKey\n\t\t logAnalyticsUri (optional)\n\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n\n 4. Once all application settings have been entered, click **Save**."
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_threats_updated_events')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SentinelOne",
+ "dcrConfig": {
+ "streamName": "Custom-SentinelOneThreats_API",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "SentinelOne API",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('apitoken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "ApiToken"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'threats')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "httpMethod": "GET",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "updatedAt__gt": "{_QueryWindowStartTime}",
+ "updatedAt__lt": "{_QueryWindowEndTime}"
+ },
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Scuba"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "PageSize": "200",
+ "PageSizeParameterName": "limit",
+ "NextPageTokenJsonPath": "$.pagination.nextCursor",
+ "NextPageParaName": "cursor"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ]
+ }
+ }
}
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
}
},
{
@@ -563,7 +2669,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOne Workbook with template version 3.0.2",
+ "description": "SentinelOne Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -651,7 +2757,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOne Data Parser with template version 3.0.2",
+ "description": "SentinelOne Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -668,7 +2774,7 @@
"displayName": "Parser for SentinelOne",
"category": "Microsoft Sentinel Parser",
"functionAlias": "SentinelOne",
- "query": "let SentinelOne_view = view () { \n SentinelOne_CL\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=column_ifexists('activityType_d', ''),\n EventCreationTime=column_ifexists('createdAt_t', ''),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats,\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount,\n CpuCount,\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate,\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt,\n RemoteProfilingState,\n ScanFinishedAt,\n ScanStartedAt,\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory,\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n RegistrationToken,\n TotalAgents,\n Type\n};\nSentinelOne_view\n",
+ "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -718,8 +2824,8 @@
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "Parser for SentinelOne",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]",
"version": "[variables('parserObject1').parserVersion1]"
}
},
@@ -733,7 +2839,7 @@
"displayName": "Parser for SentinelOne",
"category": "Microsoft Sentinel Parser",
"functionAlias": "SentinelOne",
- "query": "let SentinelOne_view = view () { \n SentinelOne_CL\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=column_ifexists('activityType_d', ''),\n EventCreationTime=column_ifexists('createdAt_t', ''),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats,\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount,\n CpuCount,\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate,\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt,\n RemoteProfilingState,\n ScanFinishedAt,\n ScanStartedAt,\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory,\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n RegistrationToken,\n TotalAgents,\n Type\n};\nSentinelOne_view\n",
+ "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -783,7 +2889,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneAdminLoginNewIP_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneAdminLoginNewIP_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -811,10 +2917,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -897,7 +3003,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneAgentUninstalled_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneAgentUninstalled_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -925,10 +3031,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1001,7 +3107,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneAlertFromCustomRule_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneAlertFromCustomRule_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1029,10 +3135,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1105,7 +3211,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneBlacklistHashDeleted_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneBlacklistHashDeleted_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1133,10 +3239,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1222,7 +3328,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneExclusionAdded_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneExclusionAdded_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1250,10 +3356,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1326,7 +3432,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneMultipleAlertsOnHost_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneMultipleAlertsOnHost_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1354,10 +3460,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1430,7 +3536,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1458,10 +3564,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1534,7 +3640,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1562,10 +3668,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1638,7 +3744,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneRuleDisabled_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneRuleDisabled_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1666,10 +3772,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1742,7 +3848,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneSameCustomRuleHitOnDiffHosts_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneSameCustomRuleHitOnDiffHosts_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -1770,10 +3876,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1848,7 +3954,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneViewAgentPassphrase_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SentinelOneViewAgentPassphrase_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -1876,10 +3982,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne"
- ]
+ ],
+ "connectorId": "SentinelOne"
}
],
"tactics": [
@@ -1961,7 +4067,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneAgentNotUpdated_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneAgentNotUpdated_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -2046,7 +4152,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneAgentStatus_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneAgentStatus_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -2131,7 +4237,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneAlertTriggers_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneAlertTriggers_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -2216,7 +4322,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneHostNotScanned_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneHostNotScanned_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -2301,7 +4407,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneNewRules_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneNewRules_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -2386,7 +4492,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneRulesDeleted_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneRulesDeleted_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -2471,7 +4577,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneScannedHosts_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneScannedHosts_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -2556,7 +4662,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneSourcesByAlertCount_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneSourcesByAlertCount_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -2641,7 +4747,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneUninstalledAgents_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneUninstalledAgents_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -2726,7 +4832,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SentinelOneUsersByAlertCount_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "SentinelOneUsersByAlertCount_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -2807,7 +4913,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "SentinelOne",
@@ -2839,8 +4945,8 @@
"criteria": [
{
"kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
},
{
"kind": "Workbook",
diff --git a/Solutions/SentinelOne/Package/testParameters.json b/Solutions/SentinelOne/Package/testParameters.json
index 34572c463ed..210e9a11ceb 100644
--- a/Solutions/SentinelOne/Package/testParameters.json
+++ b/Solutions/SentinelOne/Package/testParameters.json
@@ -21,6 +21,20 @@
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
"workbook1-name": {
"type": "string",
"defaultValue": "SentinelOneWorkbook",
diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml
index 9021869c431..3f18edb09e1 100644
--- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml
+++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml
@@ -1,279 +1,639 @@
id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6
Function:
Title: Parser for SentinelOne
- Version: '1.0.0'
- LastUpdated: '2023-08-23'
+ Version: '1.0.1'
+ LastUpdated: '2024-11-25'
Category: Microsoft Sentinel Parser
FunctionName: SentinelOne
FunctionAlias: SentinelOne
FunctionQuery: |
let SentinelOne_view = view () {
- SentinelOne_CL
- | extend
+ let SentinelOneV2_Empty = datatable(
+ AccountId:string,
+ AccountName:string,
+ ActivityType:real ,
+ EventCreationTime:datetime,
+ DataAccountName:string,
+ DataFullScopeDetails:string,
+ DataScopeLevel:string,
+ DataScopeName:string,
+ DataSiteId:int,
+ SecondaryDescription:string ,
+ DataSiteName:string,
+ SourceProcessInfo:string,
+ SrcUserName:string,
+ EventId:string,
+ EventOriginalMessage:string,
+ SiteId:string,
+ SiteName:string,
+ UpdatedAt:datetime ,
+ UserIdentity:string,
+ EventType:string,
+ DataByUser:string,
+ DataRole:string,
+ DataUserScope:string,
+ EventTypeDetailed:string,
+ DataSource:string,
+ DataExpiryDateStr:string,
+ DataExpiryTime:int,
+ DataNetworkquarantine:bool,
+ DataRuleCreationTime:int,
+ DataRuleDescription:string,
+ DataRuleExpirationMode:string,
+ DataRuleId:int,
+ DataRuleName:string,
+ DataRuleQueryDetails:string,
+ DataRuleQueryType:string,
+ DataRuleSeverity:string,
+ DataScopeId:int,
+ DataStatus:string,
+ DataSystemUser:int,
+ DataTreatasthreat:string,
+ DataUserId:int,
+ RuleInfo:string,
+ DataUserName:string,
+ EventSubStatus:string,
+ AgentId:string,
+ DataComputerName:string,
+ DataExternalIp:string,
+ DataGroupName:string,
+ DataSystem:bool,
+ DataUuid:string,
+ GroupId:string,
+ GroupName:string,
+ DataGroup:string,
+ UserId:string ,
+ DataOptionalGroups:string,
+ DataCreatedAt:string,
+ DataDownloadUrl:string,
+ DataFilePath:string,
+ DataFilename:string,
+ DataUploadedFilename:string,
+ Comments:string,
+ DataNewValue:string,
+ DataPolicyId:string,
+ DataPolicyName:string,
+ DataNewValueb:string,
+ DataShouldReboot:bool,
+ DataRoleName:string,
+ DataScopeLevelName:string,
+ ActiveDirectoryComputerDistinguishedName:string,
+ ActiveDirectoryComputerMemberOf:string,
+ ActiveDirectoryLastUserDistinguishedName:string,
+ ActiveDirectoryLastUserMemberOf:string,
+ ActiveThreats:int,
+ AgentVersion:string,
+ AllowRemoteShell:bool,
+ AppsVulnerabilityStatus:string,
+ ComputerName:string,
+ ConsoleMigrationStatus:string,
+ CoreCount:int,
+ CpuCount:int,
+ CpuId:string,
+ SrcDvcDomain:string,
+ EncryptedApplications:bool,
+ ExternalId:string,
+ ExternalIp:string,
+ FirewallEnabled:bool,
+ GroupIp:string,
+ InRemoteShellSession:bool,
+ Infected:bool,
+ InstallerType:string,
+ IsActive:bool,
+ IsDecommissioned:bool,
+ IsPendingUninstall:bool,
+ IsUninstalled:bool,
+ IsUpToDate:bool,
+ LastActiveDate:string,
+ TargetProcessInfo:string ,
+ LastIpToMgmt:string,
+ LastLoggedInUserName:string,
+ LicenseKey:string,
+ LocationEnabled:bool,
+ LocationType:string,
+ Locations:string,
+ MachineType:string,
+ MitigationMode:string,
+ MitigationModeSuspicious:string,
+ SrcDvcModelName:string,
+ NetworkInterfaces:string,
+ NetworkQuarantineEnabled:bool,
+ NetworkStatus:string,
+ OperationalState:string,
+ OsArch:string,
+ SrcDvcOs:string,
+ OsRevision:string,
+ OsStartTime:datetime ,
+ OsType:string,
+ RangerStatus:string,
+ RangerVersion:string,
+ RegisteredAt:string,
+ RemoteProfilingState:string,
+ ScanFinishedAt:string,
+ ScanStartedAt:string,
+ ScanStatus:string,
+ ThreatRebootRequired:bool,
+ TotalMemory:int,
+ SourceParentProcessInfo:string ,
+ UserActionsNeeded:string,
+ Uuid:string,
+ Creator:string,
+ ContainerInfo:string,
+ CreatorId:string,
+ Inherits:string ,
+ IsDefault:string ,
+ Name:string,
+ RegistrationToken:string,
+ AlertInfo:string,
+ PrimaryDescription:string ,
+ TotalAgents:real ,
+ CreatedAt:datetime ,
+ Id:string,
+ Type:string
+ )[];
+ let SentinelOneV1_Empty = datatable (
+ accountId_s:string,
+ accountName_s:string,
+ activityType_d:real,
+ createdAt_t:datetime ,
+ data_accountName_s:string,
+ data_fullScopeDetails_s:string,
+ data_scopeLevel_s:string,
+ data_scopeName_s:string,
+ data_siteId_d:int,
+ data_siteName_s:string,
+ data_username_s:string,
+ id_s:string,
+ primaryDescription_s:string,
+ siteId_s:string,
+ siteName_s:string,
+ updatedAt_t:datetime ,
+ userId_s:string,
+ event_name_s:string,
+ data_byUser_s:string,
+ data_role_s:string,
+ data_userScope_s:string,
+ description_s:string,
+ data_source_s:string,
+ data_expiryDateStr_s:string,
+ data_expiryTime_d:int,
+ data_networkquarantine_b:bool,
+ data_ruleCreationTime_d:int,
+ data_ruleDescription_s:string,
+ data_ruleExpirationMode_s:string,
+ data_ruleId_d:int,
+ data_ruleName_s:string,
+ data_ruleQueryDetails_s:string,
+ data_ruleQueryType_s:string,
+ data_ruleSeverity_s:string,
+ data_scopeId_d:int,
+ data_status_s:string,
+ data_systemUser_d:int,
+ data_treatasthreat_s:string,
+ data_userId_d:int,
+ data_userName_s:string,
+ secondaryDescription_s:string,
+ agentId_s:string,
+ data_computerName_s:string,
+ data_externalIp_s:string,
+ data_groupName_s:string,
+ data_system_b:bool,
+ data_uuid_g:string,
+ groupId_s:string,
+ groupName_s:string,
+ data_group_s:string,
+ data_optionalGroups_s:string,
+ data_createdAt_t:string,
+ data_downloadUrl_s:string,
+ data_filePath_s:string,
+ data_filename_s:string,
+ data_uploadedFilename_s:string,
+ comments_s:string,
+ data_newValue_s:string,
+ data_policy_id_s:string,
+ data_policyName_s:string,
+ data_newValue_b:bool,
+ data_shouldReboot_b:bool,
+ data_roleName_s:string,
+ data_scopeLevelName_s:string,
+ activeDirectory_computerDistinguishedName_s:string,
+ activeDirectory_computerMemberOf_s:string,
+ activeDirectory_lastUserDistinguishedName_s:string,
+ activeDirectory_lastUserMemberOf_s:string,
+ activeThreats_d:real,
+ agentVersion_s:string,
+ allowRemoteShell_b:bool,
+ appsVulnerabilityStatus_s:string,
+ computerName_s:string,
+ consoleMigrationStatus_s:string,
+ coreCount_d:real,
+ cpuCount_d:real ,
+ cpuId_s:string,
+ domain_s:string,
+ encryptedApplications_b:bool,
+ externalId_s:string,
+ externalIp_s:string,
+ firewallEnabled_b:bool,
+ groupIp_s:string,
+ inRemoteShellSession_b:bool,
+ infected_b:bool,
+ installerType_s:string,
+ isActive_b:bool,
+ isDecommissioned_b:bool,
+ isPendingUninstall_b:bool,
+ isUninstalled_b:bool,
+ isUpToDate_b:bool,
+ lastActiveDate_t:string,
+ lastIpToMgmt_s:string,
+ lastLoggedInUserName_s:string,
+ licenseKey_s:string,
+ locationEnabled_b:bool,
+ locationType_s:string,
+ locations_s:string,
+ machineType_s:string,
+ mitigationMode_s:string,
+ mitigationModeSuspicious_s:string,
+ modelName_s:string,
+ networkInterfaces_s:string,
+ networkQuarantineEnabled_b:bool,
+ networkStatus_s:string,
+ operationalState_s:string,
+ osArch_s:string,
+ osName_s:string,
+ osRevision_s:string,
+ osStartTime_t:datetime ,
+ osType_s:string,
+ rangerStatus_s:string,
+ rangerVersion_s:string,
+ registeredAt_t:string,
+ remoteProfilingState_s:string,
+ scanFinishedAt_t:string,
+ scanStartedAt_t:string,
+ scanStatus_s:string,
+ threatRebootRequired_b:bool,
+ totalMemory_d:real ,
+ userActionsNeeded_s:string,
+ uuid_g:string,
+ creator_s:string,
+ creatorId_s:string,
+ inherits_b:string ,
+ isDefault_b:string ,
+ name_s:string,
+ registrationToken_s:string,
+ totalAgents_d:real ,
+ type_s:string
+ )[];
+ let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty
+ | extend
EventVendor="SentinelOne",
EventProduct="SentinelOne",
- AccountId=column_ifexists('accountId_s', ''),
- AccountName=column_ifexists('accountName_s', ''),
- ActivityType=column_ifexists('activityType_d', ''),
- EventCreationTime=column_ifexists('createdAt_t', ''),
- DataAccountName=column_ifexists('data_accountName_s', ''),
- DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),
- DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),
- DataScopeName=column_ifexists('data_scopeName_s', ''),
- DataSiteId=column_ifexists('data_siteId_d', ''),
- DataSiteName=column_ifexists('data_siteName_s', ''),
- SrcUserName=column_ifexists('data_username_s', ''),
- EventId=column_ifexists('id_s', ''),
- EventOriginalMessage=column_ifexists('primaryDescription_s', ''),
- SiteId=column_ifexists('siteId_s', ''),
- SiteName=column_ifexists('siteName_s', ''),
- UpdatedAt=column_ifexists('updatedAt_t', ''),
- UserIdentity=column_ifexists('userId_s', ''),
- EventType=column_ifexists('event_name_s', ''),
- DataByUser=column_ifexists('data_byUser_s', ''),
- DataRole=column_ifexists('data_role_s', ''),
- DataUserScope=column_ifexists('data_userScope_s', ''),
- EventTypeDetailed=column_ifexists('description_s', ''),
- DataSource=column_ifexists('data_source_s', ''),
- DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),
- DataExpiryTime=column_ifexists('data_expiryTime_d', ''),
- DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),
- DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),
- DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),
- DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),
- DataRuleId=column_ifexists('data_ruleId_d', ''),
- DataRuleName=column_ifexists('data_ruleName_s', ''),
- DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),
- DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),
- DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),
- DataScopeId=column_ifexists('data_scopeId_d', ''),
- DataStatus=column_ifexists('data_status_s', ''),
- DataSystemUser=column_ifexists('data_systemUser_d', ''),
- DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),
- DataUserId=column_ifexists('data_userId_d', ''),
- DataUserName=column_ifexists('data_userName_s', ''),
- EventSubStatus=column_ifexists('secondaryDescription_s', ''),
- AgentId=column_ifexists('agentId_s', ''),
- DataComputerName=column_ifexists('data_computerName_s', ''),
- DataExternalIp=column_ifexists('data_externalIp_s', ''),
- DataGroupName=column_ifexists('data_groupName_s', ''),
- DataSystem=column_ifexists('data_system_b', ''),
- DataUuid=column_ifexists('data_uuid_g', ''),
- GroupId=column_ifexists('groupId_s', ''),
- GroupName=column_ifexists('groupName_s', ''),
- DataGroup=column_ifexists('data_group_s', ''),
- DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),
- DataCreatedAt=column_ifexists('data_createdAt_t', ''),
- DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),
- DataFilePath=column_ifexists('data_filePath_s', ''),
- DataFilename=column_ifexists('data_filename_s', ''),
- DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),
- Comments=column_ifexists('comments_s', ''),
- DataNewValue=column_ifexists('data_newValue_s', ''),
- DataPolicyId=column_ifexists('data_policy_id_s', ''),
- DataPolicyName=column_ifexists('data_policyName_s', ''),
- DataNewValueb=column_ifexists('data_newValue_b', ''),
- DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),
- DataRoleName=column_ifexists('data_roleName_s', ''),
- DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),
- ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),
- ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),
- ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),
- ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),
- ActiveThreats=column_ifexists('activeThreats_d', ''),
- AgentVersion=column_ifexists('agentVersion_s', ''),
- AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),
- AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),
- ComputerName=column_ifexists('computerName_s', ''),
- ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),
- CoreCount=column_ifexists('coreCount_d', ''),
- CpuCount=column_ifexists('cpuCount_d', ''),
- CpuId=column_ifexists('cpuId_s', ''),
- SrcDvcDomain=column_ifexists('domain_s', ''),
- EncryptedApplications=column_ifexists('encryptedApplications_b', ''),
- ExternalId=column_ifexists('externalId_s', ''),
- ExternalIp=column_ifexists('externalIp_s', ''),
- FirewallEnabled=column_ifexists('firewallEnabled_b', ''),
- GroupIp=column_ifexists('groupIp_s', ''),
- InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),
- Infected=column_ifexists('infected_b', ''),
- InstallerType=column_ifexists('installerType_s', ''),
- IsActive=column_ifexists('isActive_b', ''),
- IsDecommissioned=column_ifexists('isDecommissioned_b', ''),
- IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),
- IsUninstalled=column_ifexists('isUninstalled_b', ''),
- IsUpToDate=column_ifexists('isUpToDate_b', ''),
- LastActiveDate=column_ifexists('lastActiveDate_t', ''),
- LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),
- LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),
- LicenseKey=column_ifexists('licenseKey_s', ''),
- LocationEnabled=column_ifexists('locationEnabled_b', ''),
- LocationType=column_ifexists('locationType_s', ''),
- Locations=column_ifexists('locations_s', ''),
- MachineType=column_ifexists('machineType_s', ''),
- MitigationMode=column_ifexists('mitigationMode_s', ''),
- MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),
- SrcDvcModelName=column_ifexists('modelName_s', ''),
- NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),
- NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),
- NetworkStatus=column_ifexists('networkStatus_s', ''),
- OperationalState=column_ifexists('operationalState_s', ''),
- OsArch=column_ifexists('osArch_s', ''),
- SrcDvcOs=column_ifexists('osName_s', ''),
- OsRevision=column_ifexists('osRevision_s', ''),
- OsStartTime=column_ifexists('osStartTime_t', ''),
- OsType=column_ifexists('osType_s', ''),
- RangerStatus=column_ifexists('rangerStatus_s', ''),
- RangerVersion=column_ifexists('rangerVersion_s', ''),
- RegisteredAt=column_ifexists('registeredAt_t', ''),
- RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),
- ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),
- ScanStartedAt=column_ifexists('scanStartedAt_t', ''),
- ScanStatus=column_ifexists('scanStatus_s', ''),
- ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),
- TotalMemory=column_ifexists('totalMemory_d', ''),
- UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),
- Uuid=column_ifexists('uuid_g', ''),
- Creator=column_ifexists('creator_s', ''),
- CreatorId=column_ifexists('creatorId_s', ''),
- Inherits=column_ifexists('inherits_b', ''),
- IsDefault=column_ifexists('isDefault_b', ''),
- Name=column_ifexists('name_s', ''),
- RegistrationToken=column_ifexists('registrationToken_s', ''),
- TotalAgents=column_ifexists('totalAgents_d', ''),
- Type=column_ifexists('type_s', '')
- | project
- TimeGenerated,
- EventVendor,
- EventProduct,
- AccountName,
- ActivityType,
- EventCreationTime,
- DataAccountName,
- DataFullScopeDetails,
- DataScopeLevel,
- DataScopeName,
- DataSiteId,
- DataSiteName,
- SrcUserName,
- EventId,
- EventOriginalMessage,
- SiteId,
- SiteName,
- UpdatedAt,
- UserIdentity,
- EventType,
- DataByUser,
- DataRole,
- DataUserScope,
- EventTypeDetailed,
- DataSource,
- DataExpiryDateStr,
- DataExpiryTime,
- DataNetworkquarantine,
- DataRuleCreationTime,
- DataRuleDescription,
- DataRuleExpirationMode,
- DataRuleId,
- DataRuleName,
- DataRuleQueryDetails,
- DataRuleQueryType,
- DataRuleSeverity,
- DataScopeId,
- DataStatus,
- DataSystemUser,
- DataTreatasthreat,
- DataUserId,
- DataUserName,
- EventSubStatus,
- AgentId,
- DataComputerName,
- DataExternalIp,
- DataGroupName,
- DataSystem,
- DataUuid,
- GroupId,
- GroupName,
- DataGroup,
- DataOptionalGroups,
- DataCreatedAt,
- DataDownloadUrl,
- DataFilePath,
- DataFilename,
- DataUploadedFilename,
- Comments,
- DataNewValue,
- DataPolicyId,
- DataPolicyName,
- DataNewValueb,
- DataShouldReboot,
- DataRoleName,
- DataScopeLevelName,
- ActiveDirectoryComputerDistinguishedName,
- ActiveDirectoryComputerMemberOf,
- ActiveDirectoryLastUserDistinguishedName,
- ActiveDirectoryLastUserMemberOf,
- ActiveThreats,
- AgentVersion,
- AllowRemoteShell,
- AppsVulnerabilityStatus,
- ComputerName,
- ConsoleMigrationStatus,
- CoreCount,
- CpuCount,
- CpuId,
- SrcDvcDomain,
- EncryptedApplications,
- ExternalId,
- ExternalIp,
- FirewallEnabled,
- GroupIp,
- InRemoteShellSession,
- Infected,
- InstallerType,
- IsActive,
- IsDecommissioned,
- IsPendingUninstall,
- IsUninstalled,
- IsUpToDate,
- LastActiveDate,
- LastIpToMgmt,
- LastLoggedInUserName,
- LicenseKey,
- LocationEnabled,
- LocationType,
- Locations,
- MachineType,
- MitigationMode,
- MitigationModeSuspicious,
- SrcDvcModelName,
- NetworkInterfaces,
- NetworkQuarantineEnabled,
- NetworkStatus,
- OperationalState,
- OsArch,
- SrcDvcOs,
- OsRevision,
- OsStartTime,
- OsType,
- RangerStatus,
- RangerVersion,
- RegisteredAt,
- RemoteProfilingState,
- ScanFinishedAt,
- ScanStartedAt,
- ScanStatus,
- ThreatRebootRequired,
- TotalMemory,
- UserActionsNeeded,
- Uuid,
- Creator,
- CreatorId,
- Inherits,
- IsDefault,
- Name,
- RegistrationToken,
- TotalAgents,
- Type
- };
- SentinelOne_view
\ No newline at end of file
+ AccountId=column_ifexists('accountId_s', ''),
+ AccountName=column_ifexists('accountName_s', ''),
+ ActivityType=toreal(column_ifexists('activityType_d', '')),
+ EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),
+ DataAccountName=column_ifexists('data_accountName_s', ''),
+ DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),
+ DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),
+ DataScopeName=column_ifexists('data_scopeName_s', ''),
+ DataSiteId=column_ifexists('data_siteId_d', ''),
+ DataSiteName=column_ifexists('data_siteName_s', ''),
+ SrcUserName=column_ifexists('data_username_s', ''),
+ EventId=column_ifexists('id_s', ''),
+ EventOriginalMessage=column_ifexists('primaryDescription_s', ''),
+ PrimaryDescription=column_ifexists('primaryDescription_s', ''),
+ SiteId=column_ifexists('siteId_s', ''),
+ SiteName=column_ifexists('siteName_s', ''),
+ UpdatedAt=column_ifexists('updatedAt_t', ''),
+ UserIdentity=column_ifexists('userId_s', ''),
+ UserId=column_ifexists('userId_s', ''),
+ EventType=column_ifexists('event_name_s', ''),
+ DataByUser=column_ifexists('data_byUser_s', ''),
+ DataRole=column_ifexists('data_role_s', ''),
+ DataUserScope=column_ifexists('data_userScope_s', ''),
+ EventTypeDetailed=column_ifexists('description_s', ''),
+ DataSource=column_ifexists('data_source_s', ''),
+ DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),
+ DataExpiryTime=column_ifexists('data_expiryTime_d', ''),
+ DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),
+ DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),
+ DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),
+ DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),
+ DataRuleId=column_ifexists('data_ruleId_d', ''),
+ DataRuleName=column_ifexists('data_ruleName_s', ''),
+ DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),
+ DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),
+ DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),
+ DataScopeId=column_ifexists('data_scopeId_d', ''),
+ Id=column_ifexists('id_s', ''),
+ DataStatus=column_ifexists('data_status_s', ''),
+ DataSystemUser=column_ifexists('data_systemUser_d', ''),
+ DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),
+ DataUserId=column_ifexists('data_userId_d', ''),
+ DataUserName=column_ifexists('data_userName_s', ''),
+ EventSubStatus=column_ifexists('secondaryDescription_s', ''),
+ SecondaryDescription=column_ifexists('secondaryDescription_s', ''),
+ AgentId=column_ifexists('agentId_s', ''),
+ DataComputerName=column_ifexists('data_computerName_s', ''),
+ DataExternalIp=column_ifexists('data_externalIp_s', ''),
+ DataGroupName=column_ifexists('data_groupName_s', ''),
+ DataSystem=column_ifexists('data_system_b', ''),
+ DataUuid=column_ifexists('data_uuid_g', ''),
+ GroupId=column_ifexists('groupId_s', ''),
+ GroupName=column_ifexists('groupName_s', ''),
+ DataGroup=column_ifexists('data_group_s', ''),
+ DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),
+ DataCreatedAt=column_ifexists('data_createdAt_t', ''),
+ DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),
+ DataFilePath=column_ifexists('data_filePath_s', ''),
+ DataFilename=column_ifexists('data_filename_s', ''),
+ DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),
+ Comments=column_ifexists('comments_s', ''),
+ DataNewValue=column_ifexists('data_newValue_s', ''),
+ DataPolicyId=column_ifexists('data_policy_id_s', ''),
+ DataPolicyName=column_ifexists('data_policyName_s', ''),
+ DataNewValueb=column_ifexists('data_newValue_b', ''),
+ DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),
+ DataRoleName=column_ifexists('data_roleName_s', ''),
+ DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),
+ ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),
+ ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),
+ ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),
+ ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),
+ ActiveThreats=column_ifexists('activeThreats_d', ''),
+ AgentVersion=column_ifexists('agentVersion_s', ''),
+ AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),
+ AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),
+ ComputerName=column_ifexists('computerName_s', ''),
+ ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),
+ CoreCount=column_ifexists('coreCount_d', ''),
+ CpuCount=column_ifexists('cpuCount_d', ''),
+ CpuId=column_ifexists('cpuId_s', ''),
+ SrcDvcDomain=column_ifexists('domain_s', ''),
+ EncryptedApplications=column_ifexists('encryptedApplications_b', ''),
+ ExternalId=column_ifexists('externalId_s', ''),
+ ExternalIp=column_ifexists('externalIp_s', ''),
+ FirewallEnabled=column_ifexists('firewallEnabled_b', ''),
+ GroupIp=column_ifexists('groupIp_s', ''),
+ InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),
+ Infected=column_ifexists('infected_b', ''),
+ InstallerType=column_ifexists('installerType_s', ''),
+ IsActive=column_ifexists('isActive_b', ''),
+ IsDecommissioned=column_ifexists('isDecommissioned_b', ''),
+ IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),
+ IsUninstalled=column_ifexists('isUninstalled_b', ''),
+ IsUpToDate=column_ifexists('isUpToDate_b', ''),
+ LastActiveDate=column_ifexists('lastActiveDate_t', ''),
+ LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),
+ LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),
+ LicenseKey=column_ifexists('licenseKey_s', ''),
+ LocationEnabled=column_ifexists('locationEnabled_b', ''),
+ LocationType=column_ifexists('locationType_s', ''),
+ Locations=column_ifexists('locations_s', ''),
+ MachineType=column_ifexists('machineType_s', ''),
+ MitigationMode=column_ifexists('mitigationMode_s', ''),
+ MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),
+ SrcDvcModelName=column_ifexists('modelName_s', ''),
+ NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),
+ NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),
+ NetworkStatus=column_ifexists('networkStatus_s', ''),
+ OperationalState=column_ifexists('operationalState_s', ''),
+ OsArch=column_ifexists('osArch_s', ''),
+ SrcDvcOs=column_ifexists('osName_s', ''),
+ OsRevision=column_ifexists('osRevision_s', ''),
+ OsStartTime=column_ifexists('osStartTime_t', ''),
+ OsType=column_ifexists('osType_s', ''),
+ RangerStatus=column_ifexists('rangerStatus_s', ''),
+ RangerVersion=column_ifexists('rangerVersion_s', ''),
+ RegisteredAt=column_ifexists('registeredAt_t', ''),
+ RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),
+ ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),
+ ScanStartedAt=column_ifexists('scanStartedAt_t', ''),
+ ScanStatus=column_ifexists('scanStatus_s', ''),
+ ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),
+ TotalMemory=column_ifexists('totalMemory_d', ''),
+ UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),
+ Uuid=column_ifexists('uuid_g', ''),
+ Creator=column_ifexists('creator_s', ''),
+ CreatedAt=column_ifexists('createdAt_t',''),
+ CreatorId=column_ifexists('creatorId_s', ''),
+ Inherits=column_ifexists('inherits_b', ''),
+ IsDefault=column_ifexists('isDefault_b', ''),
+ Name=column_ifexists('name_s', ''),
+ RegistrationToken=column_ifexists('registrationToken_s', ''),
+ TotalAgents=column_ifexists('totalAgents_d', ''),
+ Type=column_ifexists('type_s', '');
+ union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union
+ | extend
+ ActivityType,
+ EventVendor="SentinelOne",
+ EventProduct="SentinelOne",
+ DataAccountName=tostring(parse_json(todynamic(Data)).accountName),
+ DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),
+ DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),
+ DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),
+ DataSiteId=tostring(parse_json(todynamic(Data)).siteId),
+ DataSiteName=tostring(parse_json(todynamic(Data)).siteName),
+ SrcUserName=tostring(parse_json(todynamic(Data)).userName),
+ EventId=Id,
+ SourceParentProcessInfo,
+ EventOriginalMessage=PrimaryDescription,
+ UserIdentity=UserId,
+ EventTypeDetailed=Description,
+ DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),
+ DataRuleName=tostring(parse_json(todynamic(Data)).rulename),
+ DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),
+ DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),
+ DataUserId=tostring(parse_json(todynamic(Data)).userId),
+ DataUserName=tostring(parse_json(todynamic(Data)).userName),
+ EventSubStatus=SecondaryDescription,
+ DataComputerName=tostring(parse_json(todynamic(Data)).computerName),
+ DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),
+ DataGroupName=tostring(parse_json(todynamic(Data)).groupName),
+ DataStatus=tostring(parse_json(todynamic(Data)).status),
+ DataByUser=tostring(parse_json(todynamic(Data)).byUser),
+ DataRole=tostring(parse_json(todynamic(Data)).role),
+ DataUserScope=tostring(parse_json(todynamic(Data)).userScope),
+ DataSource=tostring(parse_json(todynamic(Data)).source),
+ DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),
+ DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),
+ DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),
+ DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),
+ DataUuid=Uuid,
+ DataGroup=tostring(parse_json(todynamic(Data)).group),
+ DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),
+ EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),
+ DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),
+ DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),
+ DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),
+ DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),
+ DataSystem=tostring(parse_json(todynamic(Data)).system),
+ DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),
+ DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),
+ DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),
+ DataFilePath=tostring(parse_json(todynamic(Data)).filePath),
+ DataFilename=tostring(parse_json(todynamic(Data)).filename),
+ DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),
+ DataNewValue=tostring(parse_json(todynamic(Data)).newValue),
+ DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),
+ DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),
+ DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),
+ DataRoleName=tostring(parse_json(todynamic(Data)).roleName),
+ DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),
+ ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),
+ ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),
+ ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),
+ ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),
+ SrcDvcDomain=Domain,
+ AlertInfo,
+ FirewallEnabled=column_ifexists('FirewallEnabled',''),
+ LocationEnabled=column_ifexists('LocationEnabled',''),
+ SrcDvcModelName=ModelName,
+ NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),
+ SrcDvcOs=OsName,
+ SourceProcessInfo,
+ RuleInfo,
+ TargetProcessInfo,
+ ContainerInfo,
+ EventCreationTime=CreatedAt,
+ RemoteProfilingState=column_ifexists('RemoteProfilingState','')
+ | project
+ TimeGenerated,
+ EventVendor,
+ EventProduct,
+ AccountName,
+ SourceParentProcessInfo,
+ TargetProcessInfo,
+ ActivityType,
+ EventCreationTime,
+ DataAccountName,
+ DataFullScopeDetails,
+ DataScopeLevel,
+ DataScopeName,
+ DataSiteId,
+ SourceProcessInfo,
+ DataSiteName,
+ SrcUserName,
+ EventId,
+ EventOriginalMessage,
+ SiteId,
+ SiteName,
+ UpdatedAt,
+ UserIdentity,
+ EventType,
+ DataByUser,
+ DataRole,
+ DataUserScope,
+ EventTypeDetailed,
+ DataSource,
+ DataExpiryDateStr,
+ DataExpiryTime,
+ DataNetworkquarantine,
+ DataRuleCreationTime,
+ DataRuleDescription,
+ DataRuleExpirationMode,
+ DataRuleId,
+ DataRuleName,
+ DataRuleQueryDetails,
+ DataRuleQueryType,
+ DataRuleSeverity,
+ DataScopeId,
+ DataStatus,
+ DataSystemUser,
+ DataTreatasthreat,
+ DataUserId,
+ DataUserName,
+ EventSubStatus,
+ AgentId,
+ DataComputerName,
+ DataExternalIp,
+ DataGroupName,
+ DataSystem,
+ DataUuid,
+ GroupId,
+ GroupName,
+ DataGroup,
+ DataOptionalGroups,
+ DataCreatedAt,
+ DataDownloadUrl,
+ DataFilePath,
+ DataFilename,
+ DataUploadedFilename,
+ Comments,
+ DataNewValue,
+ DataPolicyId,
+ DataPolicyName,
+ DataNewValueb,
+ DataShouldReboot,
+ DataRoleName,
+ DataScopeLevelName,
+ ActiveDirectoryComputerDistinguishedName,
+ ActiveDirectoryComputerMemberOf,
+ ActiveDirectoryLastUserDistinguishedName,
+ ActiveDirectoryLastUserMemberOf,
+ ActiveThreats=toreal(activeThreats_d),
+ AgentVersion,
+ AllowRemoteShell,
+ AppsVulnerabilityStatus,
+ ComputerName,
+ ConsoleMigrationStatus,
+ CoreCount=toreal(coreCount_d),
+ CpuCount=toreal(cpuCount_d),
+ CpuId,
+ SrcDvcDomain,
+ EncryptedApplications,
+ ExternalId,
+ ExternalIp,
+ FirewallEnabled,
+ GroupIp,
+ InRemoteShellSession,
+ Infected,
+ InstallerType,
+ IsActive,
+ IsDecommissioned,
+ IsPendingUninstall,
+ IsUninstalled,
+ IsUpToDate,
+ LastActiveDate=tostring(LastActiveDate_datetime),
+ LastIpToMgmt,
+ LastLoggedInUserName,
+ LicenseKey,
+ LocationEnabled,
+ LocationType,
+ Locations,
+ MachineType,
+ MitigationMode,
+ MitigationModeSuspicious,
+ SrcDvcModelName,
+ NetworkInterfaces,
+ NetworkQuarantineEnabled,
+ NetworkStatus,
+ OperationalState,
+ OsArch,
+ SrcDvcOs,
+ OsRevision,
+ OsStartTime,
+ OsType,
+ RangerStatus,
+ RangerVersion,
+ RegisteredAt=tostring(RegisteredAt_datetime),
+ RemoteProfilingState,
+ ScanFinishedAt=tostring(ScanFinishedAt_datetime),
+ ScanStartedAt=tostring(ScanStartedAt_datetime),
+ ScanStatus,
+ ThreatRebootRequired,
+ TotalMemory=toreal(totalMemory_d),
+ UserActionsNeeded,
+ Uuid,
+ Creator,
+ CreatorId,
+ Inherits,
+ IsDefault,
+ Name,
+ AlertInfo,
+ RuleInfo,
+ ContainerInfo,
+ RegistrationToken,
+ TotalAgents=totalAgents_d,
+ Type;
+ };
+ SentinelOne_view
\ No newline at end of file
diff --git a/Solutions/SentinelOne/Parsers/newParser.txt b/Solutions/SentinelOne/Parsers/newParser.txt
new file mode 100644
index 00000000000..3562373bb25
--- /dev/null
+++ b/Solutions/SentinelOne/Parsers/newParser.txt
@@ -0,0 +1,633 @@
+let SentinelOne_view = view () {
+let SentinelOneV2_Empty = datatable(
+ AccountId:string,
+ AccountName:string,
+ ActivityType:real ,
+ EventCreationTime:datetime,
+ DataAccountName:string,
+ DataFullScopeDetails:string,
+ DataScopeLevel:string,
+ DataScopeName:string,
+ DataSiteId:int,
+ SecondaryDescription:string ,
+ DataSiteName:string,
+ SourceProcessInfo:string,
+ SrcUserName:string,
+ EventId:string,
+ EventOriginalMessage:string,
+ SiteId:string,
+ SiteName:string,
+ UpdatedAt:datetime ,
+ UserIdentity:string,
+ EventType:string,
+ DataByUser:string,
+ DataRole:string,
+ DataUserScope:string,
+ EventTypeDetailed:string,
+ DataSource:string,
+ DataExpiryDateStr:string,
+ DataExpiryTime:int,
+ DataNetworkquarantine:bool,
+ DataRuleCreationTime:int,
+ DataRuleDescription:string,
+ DataRuleExpirationMode:string,
+ DataRuleId:int,
+ DataRuleName:string,
+ DataRuleQueryDetails:string,
+ DataRuleQueryType:string,
+ DataRuleSeverity:string,
+ DataScopeId:int,
+ DataStatus:string,
+ DataSystemUser:int,
+ DataTreatasthreat:string,
+ DataUserId:int,
+ RuleInfo:string,
+ AgentDetectionInfo:string ,
+ DataUserName:string,
+ EventSubStatus:string,
+ AgentId:string,
+ DataComputerName:string,
+ DataExternalIp:string,
+ DataGroupName:string,
+ DataSystem:bool,
+ DataUuid:string,
+ GroupId:string,
+ GroupName:string,
+ DataGroup:string,
+ UserId:string ,
+ DataOptionalGroups:string,
+ DataCreatedAt:string,
+ DataDownloadUrl:string,
+ DataFilePath:string,
+ DataFilename:string,
+ DataUploadedFilename:string,
+ Comments:string,
+ DataNewValue:string,
+ DataPolicyId:string,
+ DataPolicyName:string,
+ DataNewValueb:string,
+ DataShouldReboot:bool,
+ DataRoleName:string,
+ DataScopeLevelName:string,
+ ActiveDirectoryComputerDistinguishedName:string,
+ ActiveDirectoryComputerMemberOf:string,
+ ActiveDirectoryLastUserDistinguishedName:string,
+ ActiveDirectoryLastUserMemberOf:string,
+ ActiveThreats:int,
+ AgentVersion:string,
+ AllowRemoteShell:bool,
+ AppsVulnerabilityStatus:string,
+ ComputerName:string,
+ ConsoleMigrationStatus:string,
+ CoreCount:int,
+ CpuCount:int,
+ CpuId:string,
+ SrcDvcDomain:string,
+ EncryptedApplications:bool,
+ ExternalId:string,
+ ExternalIp:string,
+ FirewallEnabled:bool,
+ GroupIp:string,
+ InRemoteShellSession:bool,
+ Infected:bool,
+ InstallerType:string,
+ IsActive:bool,
+ IsDecommissioned:bool,
+ IsPendingUninstall:bool,
+ IsUninstalled:bool,
+ IsUpToDate:bool,
+ LastActiveDate:string,
+ TargetProcessInfo:string ,
+ LastIpToMgmt:string,
+ LastLoggedInUserName:string,
+ LicenseKey:string,
+ LocationEnabled:bool,
+ LocationType:string,
+ Locations:string,
+ MachineType:string,
+ MitigationMode:string,
+ MitigationModeSuspicious:string,
+ SrcDvcModelName:string,
+ NetworkInterfaces:string,
+ NetworkQuarantineEnabled:bool,
+ NetworkStatus:string,
+ OperationalState:string,
+ OsArch:string,
+ SrcDvcOs:string,
+ OsRevision:string,
+ OsStartTime:datetime ,
+ OsType:string,
+ RangerStatus:string,
+ RangerVersion:string,
+ RegisteredAt:string,
+ RemoteProfilingState:string,
+ ScanFinishedAt:string,
+ ScanStartedAt:string,
+ ScanStatus:string,
+ ThreatRebootRequired:bool,
+ TotalMemory:int,
+ SourceParentProcessInfo:string ,
+ UserActionsNeeded:string,
+ Uuid:string,
+ Creator:string,
+ ContainerInfo:string,
+ CreatorId:string,
+ Inherits:string ,
+ IsDefault:string ,
+ Name:string,
+ RegistrationToken:string,
+ AlertInfo:string,
+ PrimaryDescription:string ,
+ TotalAgents:real ,
+ CreatedAt:datetime ,
+ Id:string,
+ Type:string
+ )[];
+let SentinelOneV1_Empty = datatable (
+ accountId_s:string,
+ accountName_s:string,
+ activityType_d:real,
+ createdAt_t:datetime ,
+ data_accountName_s:string,
+ data_fullScopeDetails_s:string,
+ data_scopeLevel_s:string,
+ data_scopeName_s:string,
+ data_siteId_d:int,
+ data_siteName_s:string,
+ data_username_s:string,
+ id_s:string,
+ primaryDescription_s:string,
+ siteId_s:string,
+ siteName_s:string,
+ updatedAt_t:datetime ,
+ userId_s:string,
+ event_name_s:string,
+ data_byUser_s:string,
+ data_role_s:string,
+ data_userScope_s:string,
+ description_s:string,
+ data_source_s:string,
+ data_expiryDateStr_s:string,
+ data_expiryTime_d:int,
+ data_networkquarantine_b:bool,
+ data_ruleCreationTime_d:int,
+ data_ruleDescription_s:string,
+ data_ruleExpirationMode_s:string,
+ data_ruleId_d:int,
+ data_ruleName_s:string,
+ data_ruleQueryDetails_s:string,
+ data_ruleQueryType_s:string,
+ data_ruleSeverity_s:string,
+ data_scopeId_d:int,
+ data_status_s:string,
+ data_systemUser_d:int,
+ data_treatasthreat_s:string,
+ data_userId_d:int,
+ data_userName_s:string,
+ secondaryDescription_s:string,
+ agentId_s:string,
+ data_computerName_s:string,
+ data_externalIp_s:string,
+ data_groupName_s:string,
+ data_system_b:bool,
+ data_uuid_g:string,
+ groupId_s:string,
+ groupName_s:string,
+ data_group_s:string,
+ data_optionalGroups_s:string,
+ data_createdAt_t:string,
+ data_downloadUrl_s:string,
+ data_filePath_s:string,
+ data_filename_s:string,
+ data_uploadedFilename_s:string,
+ comments_s:string,
+ data_newValue_s:string,
+ data_policy_id_s:string,
+ data_policyName_s:string,
+ data_newValue_b:bool,
+ data_shouldReboot_b:bool,
+ data_roleName_s:string,
+ data_scopeLevelName_s:string,
+ activeDirectory_computerDistinguishedName_s:string,
+ activeDirectory_computerMemberOf_s:string,
+ activeDirectory_lastUserDistinguishedName_s:string,
+ activeDirectory_lastUserMemberOf_s:string,
+ activeThreats_d:real,
+ agentVersion_s:string,
+ allowRemoteShell_b:bool,
+ appsVulnerabilityStatus_s:string,
+ computerName_s:string,
+ consoleMigrationStatus_s:string,
+ coreCount_d:real,
+ cpuCount_d:real ,
+ cpuId_s:string,
+ domain_s:string,
+ encryptedApplications_b:bool,
+ externalId_s:string,
+ externalIp_s:string,
+ firewallEnabled_b:bool,
+ groupIp_s:string,
+ inRemoteShellSession_b:bool,
+ infected_b:bool,
+ installerType_s:string,
+ isActive_b:bool,
+ isDecommissioned_b:bool,
+ isPendingUninstall_b:bool,
+ isUninstalled_b:bool,
+ isUpToDate_b:bool,
+ lastActiveDate_t:string,
+ lastIpToMgmt_s:string,
+ lastLoggedInUserName_s:string,
+ licenseKey_s:string,
+ locationEnabled_b:bool,
+ locationType_s:string,
+ locations_s:string,
+ machineType_s:string,
+ mitigationMode_s:string,
+ mitigationModeSuspicious_s:string,
+ modelName_s:string,
+ networkInterfaces_s:string,
+ networkQuarantineEnabled_b:bool,
+ networkStatus_s:string,
+ operationalState_s:string,
+ osArch_s:string,
+ osName_s:string,
+ osRevision_s:string,
+ osStartTime_t:datetime ,
+ osType_s:string,
+ rangerStatus_s:string,
+ rangerVersion_s:string,
+ registeredAt_t:string,
+ remoteProfilingState_s:string,
+ scanFinishedAt_t:string,
+ scanStartedAt_t:string,
+ scanStatus_s:string,
+ threatRebootRequired_b:bool,
+ totalMemory_d:real ,
+ userActionsNeeded_s:string,
+ uuid_g:string,
+ creator_s:string,
+ creatorId_s:string,
+ inherits_b:string ,
+ isDefault_b:string ,
+ name_s:string,
+ registrationToken_s:string,
+ totalAgents_d:real ,
+ type_s:string
+ )[];
+ let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty
+ | extend
+ EventVendor="SentinelOne",
+ EventProduct="SentinelOne",
+ AccountId=column_ifexists('accountId_s', ''),
+ AccountName=column_ifexists('accountName_s', ''),
+ ActivityType=toreal(column_ifexists('activityType_d', '')),
+ EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),
+ DataAccountName=column_ifexists('data_accountName_s', ''),
+ DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),
+ DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),
+ DataScopeName=column_ifexists('data_scopeName_s', ''),
+ DataSiteId=column_ifexists('data_siteId_d', ''),
+ DataSiteName=column_ifexists('data_siteName_s', ''),
+ SrcUserName=column_ifexists('data_username_s', ''),
+ EventId=column_ifexists('id_s', ''),
+ EventOriginalMessage=column_ifexists('primaryDescription_s', ''),
+ PrimaryDescription=column_ifexists('primaryDescription_s', ''),
+ SiteId=column_ifexists('siteId_s', ''),
+ SiteName=column_ifexists('siteName_s', ''),
+ UpdatedAt=column_ifexists('updatedAt_t', ''),
+ UserIdentity=column_ifexists('userId_s', ''),
+ UserId=column_ifexists('userId_s', ''),
+ EventType=column_ifexists('event_name_s', ''),
+ DataByUser=column_ifexists('data_byUser_s', ''),
+ DataRole=column_ifexists('data_role_s', ''),
+ DataUserScope=column_ifexists('data_userScope_s', ''),
+ EventTypeDetailed=column_ifexists('description_s', ''),
+ DataSource=column_ifexists('data_source_s', ''),
+ DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),
+ DataExpiryTime=column_ifexists('data_expiryTime_d', ''),
+ DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),
+ DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),
+ DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),
+ DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),
+ DataRuleId=column_ifexists('data_ruleId_d', ''),
+ DataRuleName=column_ifexists('data_ruleName_s', ''),
+ DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),
+ DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),
+ DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),
+ DataScopeId=column_ifexists('data_scopeId_d', ''),
+ Id=column_ifexists('id_s', ''),
+ DataStatus=column_ifexists('data_status_s', ''),
+ DataSystemUser=column_ifexists('data_systemUser_d', ''),
+ DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),
+ DataUserId=column_ifexists('data_userId_d', ''),
+ DataUserName=column_ifexists('data_userName_s', ''),
+ EventSubStatus=column_ifexists('secondaryDescription_s', ''),
+ SecondaryDescription=column_ifexists('secondaryDescription_s', ''),
+ AgentId=column_ifexists('agentId_s', ''),
+ DataComputerName=column_ifexists('data_computerName_s', ''),
+ DataExternalIp=column_ifexists('data_externalIp_s', ''),
+ DataGroupName=column_ifexists('data_groupName_s', ''),
+ DataSystem=column_ifexists('data_system_b', ''),
+ DataUuid=column_ifexists('data_uuid_g', ''),
+ GroupId=column_ifexists('groupId_s', ''),
+ GroupName=column_ifexists('groupName_s', ''),
+ DataGroup=column_ifexists('data_group_s', ''),
+ DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),
+ DataCreatedAt=column_ifexists('data_createdAt_t', ''),
+ DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),
+ DataFilePath=column_ifexists('data_filePath_s', ''),
+ DataFilename=column_ifexists('data_filename_s', ''),
+ DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),
+ Comments=column_ifexists('comments_s', ''),
+ DataNewValue=column_ifexists('data_newValue_s', ''),
+ DataPolicyId=column_ifexists('data_policy_id_s', ''),
+ DataPolicyName=column_ifexists('data_policyName_s', ''),
+ DataNewValueb=column_ifexists('data_newValue_b', ''),
+ DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),
+ DataRoleName=column_ifexists('data_roleName_s', ''),
+ DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),
+ ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),
+ ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),
+ ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),
+ ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),
+ ActiveThreats=column_ifexists('activeThreats_d', ''),
+ AgentVersion=column_ifexists('agentVersion_s', ''),
+ AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),
+ AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),
+ ComputerName=column_ifexists('computerName_s', ''),
+ ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),
+ CoreCount=column_ifexists('coreCount_d', ''),
+ CpuCount=column_ifexists('cpuCount_d', ''),
+ CpuId=column_ifexists('cpuId_s', ''),
+ SrcDvcDomain=column_ifexists('domain_s', ''),
+ EncryptedApplications=column_ifexists('encryptedApplications_b', ''),
+ ExternalId=column_ifexists('externalId_s', ''),
+ ExternalIp=column_ifexists('externalIp_s', ''),
+ FirewallEnabled=column_ifexists('firewallEnabled_b', ''),
+ GroupIp=column_ifexists('groupIp_s', ''),
+ InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),
+ Infected=column_ifexists('infected_b', ''),
+ InstallerType=column_ifexists('installerType_s', ''),
+ IsActive=column_ifexists('isActive_b', ''),
+ IsDecommissioned=column_ifexists('isDecommissioned_b', ''),
+ IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),
+ IsUninstalled=column_ifexists('isUninstalled_b', ''),
+ IsUpToDate=column_ifexists('isUpToDate_b', ''),
+ LastActiveDate=column_ifexists('lastActiveDate_t', ''),
+ LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),
+ LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),
+ LicenseKey=column_ifexists('licenseKey_s', ''),
+ LocationEnabled=column_ifexists('locationEnabled_b', ''),
+ LocationType=column_ifexists('locationType_s', ''),
+ Locations=column_ifexists('locations_s', ''),
+ MachineType=column_ifexists('machineType_s', ''),
+ MitigationMode=column_ifexists('mitigationMode_s', ''),
+ MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),
+ SrcDvcModelName=column_ifexists('modelName_s', ''),
+ NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),
+ NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),
+ NetworkStatus=column_ifexists('networkStatus_s', ''),
+ OperationalState=column_ifexists('operationalState_s', ''),
+ OsArch=column_ifexists('osArch_s', ''),
+ SrcDvcOs=column_ifexists('osName_s', ''),
+ OsRevision=column_ifexists('osRevision_s', ''),
+ OsStartTime=column_ifexists('osStartTime_t', ''),
+ OsType=column_ifexists('osType_s', ''),
+ RangerStatus=column_ifexists('rangerStatus_s', ''),
+ RangerVersion=column_ifexists('rangerVersion_s', ''),
+ RegisteredAt=column_ifexists('registeredAt_t', ''),
+ RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),
+ ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),
+ ScanStartedAt=column_ifexists('scanStartedAt_t', ''),
+ ScanStatus=column_ifexists('scanStatus_s', ''),
+ ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),
+ TotalMemory=column_ifexists('totalMemory_d', ''),
+ UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),
+ Uuid=column_ifexists('uuid_g', ''),
+ Creator=column_ifexists('creator_s', ''),
+ CreatedAt=column_ifexists('createdAt_t',''),
+ CreatorId=column_ifexists('creatorId_s', ''),
+ Inherits=column_ifexists('inherits_b', ''),
+ IsDefault=column_ifexists('isDefault_b', ''),
+ Name=column_ifexists('name_s', ''),
+ RegistrationToken=column_ifexists('registrationToken_s', ''),
+ TotalAgents=column_ifexists('totalAgents_d', ''),
+ Type=column_ifexists('type_s', '');
+ union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union
+ | extend
+ ActivityType,
+ EventVendor="SentinelOne",
+ EventProduct="SentinelOne",
+ DataAccountName=tostring(parse_json(todynamic(Data)).accountName),
+ DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),
+ DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),
+ DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),
+ DataSiteId=tostring(parse_json(todynamic(Data)).siteId),
+ DataSiteName=tostring(parse_json(todynamic(Data)).siteName),
+ SrcUserName=tostring(parse_json(todynamic(Data)).userName),
+ EventId=Id,
+ SourceParentProcessInfo,
+ EventOriginalMessage=PrimaryDescription,
+ UserIdentity=UserId,
+ EventTypeDetailed=Description,
+ DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),
+ DataRuleName=tostring(parse_json(todynamic(Data)).rulename),
+ DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),
+ DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),
+ DataUserId=tostring(parse_json(todynamic(Data)).userId),
+ DataUserName=tostring(parse_json(todynamic(Data)).userName),
+ EventSubStatus=SecondaryDescription,
+ DataComputerName=tostring(parse_json(todynamic(Data)).computerName),
+ DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),
+ DataGroupName=tostring(parse_json(todynamic(Data)).groupName),
+ DataStatus=tostring(parse_json(todynamic(Data)).status),
+ DataByUser=tostring(parse_json(todynamic(Data)).byUser),
+ DataRole=tostring(parse_json(todynamic(Data)).role),
+ DataUserScope=tostring(parse_json(todynamic(Data)).userScope),
+ DataSource=tostring(parse_json(todynamic(Data)).source),
+ DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),
+ DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),
+ DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),
+ DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),
+ DataUuid=Uuid,
+ DataGroup=tostring(parse_json(todynamic(Data)).group),
+ DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),
+ EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),
+ DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),
+ DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),
+ DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),
+ DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),
+ DataSystem=tostring(parse_json(todynamic(Data)).system),
+ DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),
+ DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),
+ DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),
+ DataFilePath=tostring(parse_json(todynamic(Data)).filePath),
+ DataFilename=tostring(parse_json(todynamic(Data)).filename),
+ DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),
+ DataNewValue=tostring(parse_json(todynamic(Data)).newValue),
+ DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),
+ DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),
+ DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),
+ DataRoleName=tostring(parse_json(todynamic(Data)).roleName),
+ DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),
+ ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),
+ ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),
+ ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),
+ ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),
+ SrcDvcDomain=Domain,
+ AlertInfo,
+ FirewallEnabled=column_ifexists('FirewallEnabled',''),
+ LocationEnabled=column_ifexists('LocationEnabled',''),
+ SrcDvcModelName=ModelName,
+ NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),
+ SrcDvcOs=OsName,
+ SourceProcessInfo,
+ RuleInfo,
+ TargetProcessInfo,
+ ContainerInfo,
+ AgentDetectionInfo,
+ EventCreationTime=CreatedAt,
+ RemoteProfilingState=column_ifexists('RemoteProfilingState','')
+ | project
+ TimeGenerated,
+ AgentDetectionInfo,
+ EventVendor,
+ EventProduct,
+ AccountName,
+ SourceParentProcessInfo,
+ TargetProcessInfo,
+ ActivityType,
+ EventCreationTime,
+ DataAccountName,
+ DataFullScopeDetails,
+ DataScopeLevel,
+ DataScopeName,
+ DataSiteId,
+ SourceProcessInfo,
+ DataSiteName,
+ SrcUserName,
+ EventId,
+ EventOriginalMessage,
+ SiteId,
+ SiteName,
+ UpdatedAt,
+ UserIdentity,
+ EventType,
+ DataByUser,
+ DataRole,
+ DataUserScope,
+ EventTypeDetailed,
+ DataSource,
+ DataExpiryDateStr,
+ DataExpiryTime,
+ DataNetworkquarantine,
+ DataRuleCreationTime,
+ DataRuleDescription,
+ DataRuleExpirationMode,
+ DataRuleId,
+ DataRuleName,
+ DataRuleQueryDetails,
+ DataRuleQueryType,
+ DataRuleSeverity,
+ DataScopeId,
+ DataStatus,
+ DataSystemUser,
+ DataTreatasthreat,
+ DataUserId,
+ DataUserName,
+ EventSubStatus,
+ AgentId,
+ DataComputerName,
+ DataExternalIp,
+ DataGroupName,
+ DataSystem,
+ DataUuid,
+ GroupId,
+ GroupName,
+ DataGroup,
+ DataOptionalGroups,
+ DataCreatedAt,
+ DataDownloadUrl,
+ DataFilePath,
+ DataFilename,
+ DataUploadedFilename,
+ Comments,
+ DataNewValue,
+ DataPolicyId,
+ DataPolicyName,
+ DataNewValueb,
+ DataShouldReboot,
+ DataRoleName,
+ DataScopeLevelName,
+ ActiveDirectoryComputerDistinguishedName,
+ ActiveDirectoryComputerMemberOf,
+ ActiveDirectoryLastUserDistinguishedName,
+ ActiveDirectoryLastUserMemberOf,
+ ActiveThreats=toreal(activeThreats_d),
+ AgentVersion,
+ AllowRemoteShell,
+ AppsVulnerabilityStatus,
+ ComputerName,
+ ConsoleMigrationStatus,
+ CoreCount=toreal(coreCount_d),
+ CpuCount=toreal(cpuCount_d),
+ CpuId,
+ SrcDvcDomain,
+ EncryptedApplications,
+ ExternalId,
+ ExternalIp,
+ FirewallEnabled,
+ GroupIp,
+ InRemoteShellSession,
+ Infected,
+ InstallerType,
+ IsActive,
+ IsDecommissioned,
+ IsPendingUninstall,
+ IsUninstalled,
+ IsUpToDate,
+ LastActiveDate=tostring(LastActiveDate_datetime),
+ LastIpToMgmt,
+ LastLoggedInUserName,
+ LicenseKey,
+ LocationEnabled,
+ LocationType,
+ Locations,
+ MachineType,
+ MitigationMode,
+ MitigationModeSuspicious,
+ SrcDvcModelName,
+ NetworkInterfaces,
+ NetworkQuarantineEnabled,
+ NetworkStatus,
+ OperationalState,
+ OsArch,
+ SrcDvcOs,
+ OsRevision,
+ OsStartTime,
+ OsType,
+ RangerStatus,
+ RangerVersion,
+ RegisteredAt=tostring(RegisteredAt_datetime),
+ RemoteProfilingState,
+ ScanFinishedAt=tostring(ScanFinishedAt_datetime),
+ ScanStartedAt=tostring(ScanStartedAt_datetime),
+ ScanStatus,
+ ThreatRebootRequired,
+ TotalMemory=toreal(totalMemory_d),
+ UserActionsNeeded,
+ Uuid,
+ Creator,
+ CreatorId,
+ Inherits,
+ IsDefault,
+ Name,
+ AlertInfo,
+ RuleInfo,
+ ContainerInfo,
+ RegistrationToken,
+ TotalAgents=totalAgents_d,
+ Type;
+};
+SentinelOne_view
\ No newline at end of file
diff --git a/Solutions/SentinelOne/SolutionMetadata.json b/Solutions/SentinelOne/SolutionMetadata.json
index 024855ceb0b..6cfa0385e0e 100644
--- a/Solutions/SentinelOne/SolutionMetadata.json
+++ b/Solutions/SentinelOne/SolutionMetadata.json
@@ -1,7 +1,10 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-sentinelone",
- "firstPublishDate": "2022-04-01",
+ "SolutionVersion":"1.0.1",
+ "ConnectorDefinitionTemplateVersion": "1.0.1",
+ "DataConnectorsTemplateVersion": "1.0.1",
+ "firstPublishDate": "2024-11-26",
"providers": [ "SentinelOne" ],
"categories": {
"domains": ["Security - Threat Protection"]