Fixed the suggested review1 changes and added RAW log files for senti…

…nel one.
Azure · Aug 29, 2023 · dbc89a6 · dbc89a6
1 parent 7d2e52a
commit dbc89a6
Show file tree

Hide file tree

Showing 9 changed files with 6,682 additions and 49 deletions.
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json
@@ -389,6 +389,10 @@
     "Name": "_ResourceId",
     "Type": "string"
   },
+  {
+    "Name": "_ItemId",
+    "Type": "string"
+  },
   {
     "Name": "alertInfo_indicatorDescription_s",
     "Type": "string"

diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml
@@ -1,6 +1,6 @@
 Parser:
   Title: User Management ASIM parser for SentinelOne
-  Version: '0.1.1'
+  Version: '0.1.0'
   LastUpdated: Jul 25, 2023
 Product:
   Name: SentinelOne
@@ -17,7 +17,7 @@ References:
 Description: |
   This ASIM parser supports normalizing SentinelOne logs to the ASIM User Management normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
 ParserName: ASimUserManagementSentinelOne
-EquivalentBuiltInParser: _Im_UserManagement_SentinelOne
+EquivalentBuiltInParser: _ASim_UserManagement_SentinelOne
 ParserParams:
   - Name: disabled
     Type: bool
@@ -32,7 +32,7 @@ ParserQuery: |
       23, "UserCreated", "User Added", "",
       24, "UserModified", "User Modified", "MultipleProperties",
       25, "UserDeleted", "User Deleted", "",
-      37, "UserModified", "User modified", "UserModified",
+      37, "UserModified", "User modified", "MultipleProperties",
       102, "UserDeleted", "User Deleted", "",
       110, "UserModified", "Enable API Token Generation", "NewPermissions",
       111, "UserModified", "Disable API Token Generation", "PreviousPermissions",
@@ -51,9 +51,11 @@ ParserQuery: |
   ];
   let parser = (disabled: bool=false) {
       SentinelOne_CL
-      | where event_name_s == "Activities."
+      | where not(disabled)
+          and event_name_s == "Activities."
           and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011)
       | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
+      | parse modifiedFields with 'Modified fields: ' ModifiedFields:string
       | parse description_s with * "with id=" id: string "," restOfMessage
       | lookup EventTypeLookup on activityType_d
       | extend 
@@ -65,39 +67,45 @@ ParserQuery: |
       | extend GroupName = iff(GroupName == "null", "", GroupName)
       | project-rename
           EventStartTime = createdAt_t,
-          DvcIpAddr = ipAddress,
-          EventUid = _ResourceId,
+          SrcIpAddr = ipAddress,
+          EventUid = _ItemId,
           ActorUserId = id,
           GroupId = groupId_s,
           EventMessage = primaryDescription_s,
           EventOriginalUid = activityUuid_g
       | extend
           EventCount = int(1),
           EventResult = "Success",
+          DvcAction = "Allowed",
           EventSeverity = "Informational",
           EventSchema = "UserManagement",
           EventSchemaVersion = "0.1.1",
           EventProduct = "SentinelOne",
           EventVendor = "SentinelOne",
           EventResultDetails = "Other"
       | extend
-          Dvc = coalesce(DvcIpAddr, "SentinelOne"),
+          Dvc = EventProduct,
           EventEndTime = EventStartTime,
+          IpAddr = SrcIpAddr,
           User = ActorUsername,
           UpdatedPropertyName = EventSubType,
+          ActorUserIdType = iff(isnotempty(ActorUserId),"Other",""),
+          ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),
           ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
           GroupIdType = iff(isnotempty(GroupId), "UID", ""),
           GroupNameType = iff(isnotempty(GroupName), "Simple", ""),
+          GroupType = iff(isnotempty(groupType), "Other", ""),
+          GroupOriginalType = groupType,
           TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+          TargetUserType = _ASIM_GetUserType(TargetUsername, ""),
           AdditionalFields = bag_pack(
                         "userScope", userScope,
                         "scopeLevelName", scopeLevelName,
                         "scopeName", scopeName,
                         "modifiedFields", modifiedFields,
                         "roleName", roleName,
                         "deactivationPeriodInDays", deactivationPeriodInDays,
-                        "descriptionChanged", descriptionChanged,
-                        "groupType", groupType
+                        "descriptionChanged", descriptionChanged
                     )
       | project-away 
           *_b,
@@ -110,6 +118,7 @@ ParserQuery: |
           email,
           group,
           groupName,
+          groupType,
           name,
           oldDescription,
           oldRole,
@@ -120,10 +129,11 @@ ParserQuery: |
           scopeName,
           roleName,
           modifiedFields,
+          ModifiedFields,
           deactivationPeriodInDays,
           descriptionChanged,
-          groupType,
           restOfMessage,
+          _ResourceId,
           TenantId,
           RawData,
           Computer,

diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml
@@ -0,0 +1,185 @@
+Parser:
+  Title: User Management ASIM parser for SentinelOne
+  Version: '0.1.0'
+  LastUpdated: Aug 24, 2023
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: UserManagement
+  Version: '0.1.1'
+References:
+- Title: ASIM UserManagement Schema
+  Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: SentinelOne Documentation
+- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
+Description: |
+  This ASIM parser supports normalizing SentinelOne logs to the ASIM User Management normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+ParserName: vimUserManagementSentinelOne
+EquivalentBuiltInParser: _Im_UserManagement_SentinelOne
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+  - Name: actorusername_has
+    Type: string
+    Default: '*'
+  - Name: targetdomain_has
+    Type: string
+    Default: '*'
+  - Name: anydomain_has
+    Type: string    
+    Default: '*'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventTypeLookup = datatable (
+      activityType_d: real,
+      EventType: string,
+      EventOriginalType: string,
+      EventSubType: string
+  )[
+      23, "UserCreated", "User Added", "",
+      24, "UserModified", "User Modified", "MultipleProperties",
+      25, "UserDeleted", "User Deleted", "",
+      37, "UserModified", "User modified", "MultipleProperties",
+      102, "UserDeleted", "User Deleted", "",
+      110, "UserModified", "Enable API Token Generation", "NewPermissions",
+      111, "UserModified", "Disable API Token Generation", "PreviousPermissions",
+      140, "UserCreated", "Service User creation", "",
+      141, "UserModified", "Service User modification", "MultipleProperties",
+      142, "UserDeleted", "Service User deletion", "",
+      3522, "GroupCreated", "Ranger Deploy - Credential Group Created", "",
+      3523, "GroupModified", "Ranger Deploy -Credential Group Edited", "MultipleProperties",
+      3524, "GroupDeleted", "Ranger Deploy - Credential Group Deleted", "",
+      3710, "PasswordReset", "User Reset Password with Forgot Password from the Login", "",
+      3711, "PasswordChanged", "User Changed Their Password", "",
+      3715, "PasswordReset", "User Reset Password by Admin Request", "",
+      5006, "GroupDeleted", "Group Deleted", "",
+      5008, "GroupCreated", "User created a Manual or Pinned Group", "",
+      5011, "GroupModified", "Group Policy Reverted", "Newpolicy",
+  ];
+  let parser = (
+    starttime:datetime=datetime(null), 
+    endtime:datetime=datetime(null),
+    targetusername_has:string="*", 
+    actorusername_has:string="",
+    targetdomain_has:string="*",
+    anydomain_has:string="*",
+    disabled:bool=false
+    ) {
+      SentinelOne_CL
+      | where not(disabled)
+          and event_name_s == "Activities."
+          and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
+          and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011)
+          and (targetusername_has == "*" or DataFields_s has targetusername_has)
+          and (actorusername_has == "*" or DataFields_s has actorusername_has)
+          and targetdomain_has == "*"
+          and anydomain_has == "*"
+      | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
+      | parse modifiedFields with 'Modified fields: ' ModifiedFields:string
+      | parse description_s with * "with id=" id: string "," restOfMessage
+      | lookup EventTypeLookup on activityType_d
+      | extend 
+          ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)),        
+          GroupName = coalesce(group, groupName, name),
+          TargetUsername = iff(isnotempty(byUser), username, ""),
+          PreviousPropertyValue = coalesce(oldDescription, oldRole),
+          NewPropertyValue = coalesce(description, role)
+      | where (targetusername_has == "*" or TargetUsername has targetusername_has)
+          and (actorusername_has == "*" or ActorUsername has actorusername_has)
+      | extend GroupName = iff(GroupName == "null", "", GroupName)
+      | project-rename
+          EventStartTime = createdAt_t,
+          SrcIpAddr = ipAddress,
+          EventUid = _ItemId,
+          ActorUserId = id,
+          GroupId = groupId_s,
+          EventMessage = primaryDescription_s,
+          EventOriginalUid = activityUuid_g
+      | extend
+          EventCount = int(1),
+          EventResult = "Success",
+          DvcAction = "Allowed",
+          EventSeverity = "Informational",
+          EventSchema = "UserManagement",
+          EventSchemaVersion = "0.1.1",
+          EventProduct = "SentinelOne",
+          EventVendor = "SentinelOne",
+          EventResultDetails = "Other"
+      | extend
+          Dvc = EventProduct,
+          EventEndTime = EventStartTime,
+          IpAddr = SrcIpAddr,
+          User = ActorUsername,
+          UpdatedPropertyName = EventSubType,
+          ActorUserIdType = iff(isnotempty(ActorUserId),"Other",""),
+          ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+          GroupIdType = iff(isnotempty(GroupId), "UID", ""),
+          GroupNameType = iff(isnotempty(GroupName), "Simple", ""),
+          GroupType = iff(isnotempty(groupType), "Other", ""),
+          GroupOriginalType = groupType,
+          TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+          TargetUserType = _ASIM_GetUserType(TargetUsername, ""),
+          AdditionalFields = bag_pack(
+                        "userScope", userScope,
+                        "scopeLevelName", scopeLevelName,
+                        "scopeName", scopeName,
+                        "modifiedFields", modifiedFields,
+                        "roleName", roleName,
+                        "deactivationPeriodInDays", deactivationPeriodInDays,
+                        "descriptionChanged", descriptionChanged
+                    )
+      | project-away 
+          *_b,
+          *_d,
+          *_g,
+          *_s,
+          *_t,
+          byUser,
+          username,
+          email,
+          group,
+          groupName,
+          groupType,
+          name,
+          oldDescription,
+          oldRole,
+          description,
+          role,
+          userScope,
+          scopeLevelName,
+          scopeName,
+          roleName,
+          modifiedFields,
+          ModifiedFields,
+          deactivationPeriodInDays,
+          descriptionChanged,
+          restOfMessage,
+          _ResourceId,
+          TenantId,
+          RawData,
+          Computer,
+          MG,
+          ManagementGroupName,
+          SourceSystem
+  };
+  parser(
+    starttime = starttime,
+    endtime = endtime,
+    targetusername_has = targetusername_has,
+    actorusername_has = actorusername_has,
+    targetdomain_has = targetdomain_has,
+    anydomain_has = anydomain_has,
+    disabled=disabled
+  )
diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv
@@ -0,0 +1,15 @@
+Result
+"(0) Error: 4 invalid value(s) (up to 10 listed) in 32 records (52.46%) for field [EventSubType] of type [Enumerated]: [""MultipleProperties"",""PreviousPermissions"",""NewPermissions"",""Newpolicy""] (Schema:UserManagement)"
+"(0) Error: type mismatch for column [SrcIpAddr]. It is currently [string] and should be [IP address] (Schema:UserManagement)"
+"(2) Info: Empty value in 29 records (47.54%)  in optional field [EventSubType] (Schema:UserManagement)"
+"(2) Info: Empty value in 44 records (72.13%)  in optional field [ActorUserId] (Schema:UserManagement)"
+"(2) Info: Empty value in 54 records (88.52%)  in optional field [GroupIdType] (Schema:UserManagement)"
+"(2) Info: Empty value in 54 records (88.52%)  in optional field [GroupId] (Schema:UserManagement)"
+"(2) Info: Empty value in 54 records (88.52%)  in optional field [GroupNameType] (Schema:UserManagement)"
+"(2) Info: Empty value in 54 records (88.52%)  in optional field [GroupName] (Schema:UserManagement)"
+"(2) Info: Empty value in 54 records (88.52%)  in optional field [GroupOriginalType] (Schema:UserManagement)"
+"(2) Info: Empty value in 54 records (88.52%)  in optional field [GroupType] (Schema:UserManagement)"
+"(2) Info: Empty value in 59 records (96.72%)  in optional field [PreviousPropertyValue] (Schema:UserManagement)"
+"(2) Info: Empty value in 7 records (11.48%)  in optional field [NewPropertyValue] (Schema:UserManagement)"
+"(2) Info: Empty value in 8 records (13.11%)  in optional field [TargetUserType] (Schema:UserManagement)"
+"(2) Info: Empty value in 8 records (13.11%)  in optional field [TargetUsername] (Schema:UserManagement)"