Skip to content

Commit

Permalink
[ASIM Parsers] Generate deployable ARM templates from KQL function YA…
Browse files Browse the repository at this point in the history 
…ML files.
  • Loading branch information
github-actions[bot] committed Nov 25, 2024
1 parent 9a5231b commit c42eb7d
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion ...tEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"displayName": "Alert Event ASIM parser for SentinelOne Singularity platform",
"category": "ASIM",
"FunctionAlias": "ASimAlertEventSentinelOneSingularity",
"query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n disabled = disabled\n)",
"query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9\",]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n disabled = disabled\n)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
Expand Down
Loading

0 comments on commit c42eb7d

Please sign in to comment.