Merge pull request #8670 from jayeshprajapaticrest/SentinelOneUserMan…

…agement ASIM User Management schema parser with its sample and test data for SentinelOne
Azure · Sep 22, 2023 · abc3103 · abc3103
2 parents 2d40e35 + 1ba88d8
commit abc3103
Show file tree

Hide file tree

Showing 11 changed files with 6,836 additions and 5 deletions.
diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
@@ -543,7 +543,7 @@ EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365
 EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne,
 EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event,
-EventProduct,string,Mandatory,UserManagement,,,
+EventProduct,string,Mandatory,UserManagement,Enumerated,SentinelOne,
 EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki MX|Web Security Gateway|Zeek|Dataminr Pulse,
 EventProductVersion,string,Optional,AuditEvent,,,
 EventProductVersion,string,Optional,Authentication,,,
@@ -670,7 +670,7 @@ EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microso
 EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft,
 EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne,
 EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft,
-EventVendor,string,Mandatory,UserManagement,,,
+EventVendor,string,Mandatory,UserManagement,Enumerated,SentinelOne,
 EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,
 FileContentType,string,Optional,WebSession,Enumerated,,
 FileMD5,string,Optional,WebSession,MD5,,

diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
@@ -18,7 +18,8 @@ ParserName: ASimUserManagement
 EquivalentBuiltInParser: _ASim_UserManagement
 Parsers:
   - _Im_UserManagement_Empty
-  - _ASim_UserManagement_MicrosoftSecurityEvent 
+  - _ASim_UserManagement_MicrosoftSecurityEvent
+  - _ASim_UserManagement_SentinelOne 
 ParserParams:
   - Name: pack
     Type: bool
@@ -32,7 +33,8 @@ ParserQuery: |
   union isfuzzy=true
     vimUserManagementEmpty,
     ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),
-    ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers)))
+    ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers))),
+    ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne in (DisabledParsers)))
   }; 
   parser (
       pack=pack

diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml
@@ -0,0 +1,144 @@
+Parser:
+  Title: User Management ASIM parser for SentinelOne
+  Version: '0.1.0'
+  LastUpdated: Aug 24, 2023
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: UserManagement
+  Version: '0.1.1'
+References:
+- Title: ASIM UserManagement Schema
+  Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: SentinelOne Documentation
+- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
+Description: |
+  This ASIM parser supports normalizing SentinelOne logs to the ASIM User Management normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+ParserName: ASimUserManagementSentinelOne
+EquivalentBuiltInParser: _ASim_UserManagement_SentinelOne
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventTypeLookup = datatable (
+      activityType_d: real,
+      EventType: string,
+      EventOriginalType: string,
+      EventSubType: string
+  )[
+      23, "UserCreated", "User Added", "",
+      24, "UserModified", "User Modified", "MultipleProperties",
+      25, "UserDeleted", "User Deleted", "",
+      37, "UserModified", "User modified", "MultipleProperties",
+      102, "UserDeleted", "User Deleted", "",
+      110, "UserModified", "Enable API Token Generation", "NewPermissions",
+      111, "UserModified", "Disable API Token Generation", "PreviousPermissions",
+      140, "UserCreated", "Service User creation", "",
+      141, "UserModified", "Service User modification", "MultipleProperties",
+      142, "UserDeleted", "Service User deletion", "",
+      3522, "GroupCreated", "Ranger Deploy - Credential Group Created", "",
+      3523, "GroupModified", "Ranger Deploy -Credential Group Edited", "MultipleProperties",
+      3524, "GroupDeleted", "Ranger Deploy - Credential Group Deleted", "",
+      3710, "PasswordReset", "User Reset Password with Forgot Password from the Login", "",
+      3711, "PasswordChanged", "User Changed Their Password", "",
+      3715, "PasswordReset", "User Reset Password by Admin Request", "",
+      5006, "GroupDeleted", "Group Deleted", "",
+      5008, "GroupCreated", "User created a Manual or Pinned Group", "",
+      5011, "GroupModified", "Group Policy Reverted", "Newpolicy",
+  ];
+  let parser = (disabled: bool=false) {
+      SentinelOne_CL
+      | where not(disabled)
+          and event_name_s == "Activities."
+          and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011)
+      | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
+      | parse modifiedFields with 'Modified fields: ' ModifiedFields:string
+      | parse description_s with * "with id=" id: string "," restOfMessage
+      | lookup EventTypeLookup on activityType_d
+      | extend 
+          ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)),        
+          GroupName = coalesce(group, groupName, name),
+          TargetUsername = iff(isnotempty(byUser), username, ""),
+          PreviousPropertyValue = coalesce(oldDescription, oldRole),
+          NewPropertyValue = coalesce(description, role)
+      | extend GroupName = iff(GroupName == "null", "", GroupName)
+      | project-rename
+          EventStartTime = createdAt_t,
+          SrcIpAddr = ipAddress,
+          EventUid = _ItemId,
+          ActorUserId = id,
+          GroupId = groupId_s,
+          EventMessage = primaryDescription_s,
+          EventOriginalUid = activityUuid_g
+      | extend
+          EventCount = int(1),
+          EventResult = "Success",
+          DvcAction = "Allowed",
+          EventSeverity = "Informational",
+          EventSchema = "UserManagement",
+          EventSchemaVersion = "0.1.1",
+          EventProduct = "SentinelOne",
+          EventVendor = "SentinelOne",
+          EventResultDetails = "Other"
+      | extend
+          Dvc = EventProduct,
+          EventEndTime = EventStartTime,
+          IpAddr = SrcIpAddr,
+          User = ActorUsername,
+          UpdatedPropertyName = EventSubType,
+          ActorUserIdType = iff(isnotempty(ActorUserId),"Other",""),
+          ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+          GroupIdType = iff(isnotempty(GroupId), "UID", ""),
+          GroupNameType = iff(isnotempty(GroupName), "Simple", ""),
+          GroupType = iff(isnotempty(groupType), "Other", ""),
+          GroupOriginalType = groupType,
+          TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+          TargetUserType = _ASIM_GetUserType(TargetUsername, ""),
+          AdditionalFields = bag_pack(
+                        "userScope", userScope,
+                        "scopeLevelName", scopeLevelName,
+                        "scopeName", scopeName,
+                        "modifiedFields", modifiedFields,
+                        "roleName", roleName,
+                        "deactivationPeriodInDays", deactivationPeriodInDays,
+                        "descriptionChanged", descriptionChanged
+                    )
+      | project-away 
+          *_b,
+          *_d,
+          *_g,
+          *_s,
+          *_t,
+          byUser,
+          username,
+          email,
+          group,
+          groupName,
+          groupType,
+          name,
+          oldDescription,
+          oldRole,
+          description,
+          role,
+          userScope,
+          scopeLevelName,
+          scopeName,
+          roleName,
+          modifiedFields,
+          ModifiedFields,
+          deactivationPeriodInDays,
+          descriptionChanged,
+          restOfMessage,
+          _ResourceId,
+          TenantId,
+          RawData,
+          Computer,
+          MG,
+          ManagementGroupName,
+          SourceSystem
+  };
+  parser(disabled=disabled)
diff --git a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
@@ -19,6 +19,7 @@ EquivalentBuiltInParser: _Im_UserManagement
 Parsers:
   - _Im_UserManagement_Empty
   - _Im_UserManagement_MicrosoftSecurityEvent
+  - _Im_UserManagement_SentinelOne
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -57,7 +58,8 @@ ParserQuery: |
   union isfuzzy=true
     vimUserManagementEmpty,
     vimUserManagementMicrosoftSecurityEvent(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent'      in (DisabledParsers) )),
-    vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventresult, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE'      in (DisabledParsers) ))
+    vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventresult, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE'      in (DisabledParsers) )),
+    vimUserManagementSentinelOne(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, anydomain_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne'      in (DisabledParsers) ))
   }; 
   parser (
     starttime=starttime, 

diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml
@@ -0,0 +1,186 @@
+Parser:
+  Title: User Management ASIM parser for SentinelOne
+  Version: '0.1.0'
+  LastUpdated: Aug 24, 2023
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: UserManagement
+  Version: '0.1.1'
+References:
+- Title: ASIM UserManagement Schema
+  Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: SentinelOne Documentation
+- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
+Description: |
+  This ASIM parser supports normalizing SentinelOne logs to the ASIM User Management normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+ParserName: vimUserManagementSentinelOne
+EquivalentBuiltInParser: _Im_UserManagement_SentinelOne
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: srcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: actorusername_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: targetusername_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventtype_in
+    Type: dynamic
+    Default: dynamic([])
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventTypeLookup = datatable (
+      activityType_d: real,
+      EventType: string,
+      EventOriginalType: string,
+      EventSubType: string
+  )[
+      23, "UserCreated", "User Added", "",
+      24, "UserModified", "User Modified", "MultipleProperties",
+      25, "UserDeleted", "User Deleted", "",
+      37, "UserModified", "User modified", "MultipleProperties",
+      102, "UserDeleted", "User Deleted", "",
+      110, "UserModified", "Enable API Token Generation", "NewPermissions",
+      111, "UserModified", "Disable API Token Generation", "PreviousPermissions",
+      140, "UserCreated", "Service User creation", "",
+      141, "UserModified", "Service User modification", "MultipleProperties",
+      142, "UserDeleted", "Service User deletion", "",
+      3522, "GroupCreated", "Ranger Deploy - Credential Group Created", "",
+      3523, "GroupModified", "Ranger Deploy -Credential Group Edited", "MultipleProperties",
+      3524, "GroupDeleted", "Ranger Deploy - Credential Group Deleted", "",
+      3710, "PasswordReset", "User Reset Password with Forgot Password from the Login", "",
+      3711, "PasswordChanged", "User Changed Their Password", "",
+      3715, "PasswordReset", "User Reset Password by Admin Request", "",
+      5006, "GroupDeleted", "Group Deleted", "",
+      5008, "GroupCreated", "User created a Manual or Pinned Group", "",
+      5011, "GroupModified", "Group Policy Reverted", "Newpolicy",
+  ];
+  let parser = (
+    starttime:datetime=datetime(null), 
+    endtime:datetime=datetime(null),
+    srcipaddr_has_any_prefix: dynamic=dynamic([]), 
+    targetusername_has_any: dynamic=dynamic([]),
+    actorusername_has_any: dynamic=dynamic([]),
+    eventtype_in: dynamic=dynamic([]),
+    disabled:bool=false
+    ) {
+      SentinelOne_CL
+      | where not(disabled)
+          and event_name_s == "Activities."
+          and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
+          and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011)
+          and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))
+          and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))
+          and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))
+      | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
+      | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)
+      | parse modifiedFields with 'Modified fields: ' ModifiedFields:string
+      | parse description_s with * "with id=" id: string "," restOfMessage
+      | lookup EventTypeLookup on activityType_d
+      | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))
+      | extend 
+          ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)),        
+          GroupName = coalesce(group, groupName, name),
+          TargetUsername = iff(isnotempty(byUser), username, ""),
+          PreviousPropertyValue = coalesce(oldDescription, oldRole),
+          NewPropertyValue = coalesce(description, role)
+      | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))
+          and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))
+      | extend GroupName = iff(GroupName == "null", "", GroupName)
+      | project-rename
+          EventStartTime = createdAt_t,
+          SrcIpAddr = ipAddress,
+          EventUid = _ItemId,
+          ActorUserId = id,
+          GroupId = groupId_s,
+          EventMessage = primaryDescription_s,
+          EventOriginalUid = activityUuid_g
+      | extend
+          EventCount = int(1),
+          EventResult = "Success",
+          DvcAction = "Allowed",
+          EventSeverity = "Informational",
+          EventSchema = "UserManagement",
+          EventSchemaVersion = "0.1.1",
+          EventProduct = "SentinelOne",
+          EventVendor = "SentinelOne",
+          EventResultDetails = "Other"
+      | extend
+          Dvc = EventProduct,
+          EventEndTime = EventStartTime,
+          IpAddr = SrcIpAddr,
+          User = ActorUsername,
+          UpdatedPropertyName = EventSubType,
+          ActorUserIdType = iff(isnotempty(ActorUserId),"Other",""),
+          ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+          GroupIdType = iff(isnotempty(GroupId), "UID", ""),
+          GroupNameType = iff(isnotempty(GroupName), "Simple", ""),
+          GroupType = iff(isnotempty(groupType), "Other", ""),
+          GroupOriginalType = groupType,
+          TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+          TargetUserType = _ASIM_GetUserType(TargetUsername, ""),
+          AdditionalFields = bag_pack(
+                        "userScope", userScope,
+                        "scopeLevelName", scopeLevelName,
+                        "scopeName", scopeName,
+                        "modifiedFields", modifiedFields,
+                        "roleName", roleName,
+                        "deactivationPeriodInDays", deactivationPeriodInDays,
+                        "descriptionChanged", descriptionChanged
+                    )
+      | project-away 
+          *_b,
+          *_d,
+          *_g,
+          *_s,
+          *_t,
+          byUser,
+          username,
+          email,
+          group,
+          groupName,
+          groupType,
+          name,
+          oldDescription,
+          oldRole,
+          description,
+          role,
+          userScope,
+          scopeLevelName,
+          scopeName,
+          roleName,
+          modifiedFields,
+          ModifiedFields,
+          deactivationPeriodInDays,
+          descriptionChanged,
+          restOfMessage,
+          _ResourceId,
+          TenantId,
+          RawData,
+          Computer,
+          MG,
+          ManagementGroupName,
+          SourceSystem
+  };
+  parser(
+    starttime = starttime,
+    endtime = endtime,
+    srcipaddr_has_any_prefix  = srcipaddr_has_any_prefix ,
+    targetusername_has_any = targetusername_has_any,
+    actorusername_has_any = actorusername_has_any,
+    eventtype_in = eventtype_in,
+    disabled = disabled
+  )