From dbc89a6523b330be4e44c498d15d7a5ece9c8f79 Mon Sep 17 00:00:00 2001 From: Jayesh Prajapati Date: Tue, 29 Aug 2023 12:35:45 +0530 Subject: [PATCH] Fixed the suggested review1 changes and added RAW log files for sentinel one. --- .../CustomTables/SentinelOne_CL.json | 4 + .../ASimUserManagementSentinelOne.yaml | 30 +- .../Parsers/vimUserManagementSentinelOne.yaml | 185 + ...entinelOne_ASimUserManagement_DataTest.csv | 15 + ...tinelOne_ASimUserManagement_SchemaTest.csv | 82 +- ...SentinelOne_vimUserManagement_DataTest.csv | 15 + ...ntinelOne_vimUserManagement_SchemaTest.csv | 47 + ...entinelOne_ASimUserManagement_RawLogs.json | 6350 +++++++++++++++++ Sample Data/ASIM/SentinelOne_CL_Schema.csv | 3 +- 9 files changed, 6682 insertions(+), 49 deletions(-) create mode 100644 Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml create mode 100644 Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv create mode 100644 Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_DataTest.csv create mode 100644 Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_SchemaTest.csv create mode 100644 Sample Data/ASIM/SentinelOne_ASimUserManagement_RawLogs.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json index a240d92d89b..bbce9d77495 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json @@ -389,6 +389,10 @@ "Name": "_ResourceId", "Type": "string" }, + { + "Name": "_ItemId", + "Type": "string" + }, { "Name": "alertInfo_indicatorDescription_s", "Type": "string" diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml index 7c73268d6d9..833c68810e9 100644 --- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml @@ -1,6 +1,6 @@ Parser: Title: User Management ASIM parser for SentinelOne - Version: '0.1.1' + Version: '0.1.0' LastUpdated: Jul 25, 2023 Product: Name: SentinelOne @@ -17,7 +17,7 @@ References: Description: | This ASIM parser supports normalizing SentinelOne logs to the ASIM User Management normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. ParserName: ASimUserManagementSentinelOne -EquivalentBuiltInParser: _Im_UserManagement_SentinelOne +EquivalentBuiltInParser: _ASim_UserManagement_SentinelOne ParserParams: - Name: disabled Type: bool @@ -32,7 +32,7 @@ ParserQuery: | 23, "UserCreated", "User Added", "", 24, "UserModified", "User Modified", "MultipleProperties", 25, "UserDeleted", "User Deleted", "", - 37, "UserModified", "User modified", "UserModified", + 37, "UserModified", "User modified", "MultipleProperties", 102, "UserDeleted", "User Deleted", "", 110, "UserModified", "Enable API Token Generation", "NewPermissions", 111, "UserModified", "Disable API Token Generation", "PreviousPermissions", @@ -51,9 +51,11 @@ ParserQuery: | ]; let parser = (disabled: bool=false) { SentinelOne_CL - | where event_name_s == "Activities." + | where not(disabled) + and event_name_s == "Activities." and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011) | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | parse modifiedFields with 'Modified fields: ' ModifiedFields:string | parse description_s with * "with id=" id: string "," restOfMessage | lookup EventTypeLookup on activityType_d | extend @@ -65,8 +67,8 @@ ParserQuery: | | extend GroupName = iff(GroupName == "null", "", GroupName) | project-rename EventStartTime = createdAt_t, - DvcIpAddr = ipAddress, - EventUid = _ResourceId, + SrcIpAddr = ipAddress, + EventUid = _ItemId, ActorUserId = id, GroupId = groupId_s, EventMessage = primaryDescription_s, @@ -74,6 +76,7 @@ ParserQuery: | | extend EventCount = int(1), EventResult = "Success", + DvcAction = "Allowed", EventSeverity = "Informational", EventSchema = "UserManagement", EventSchemaVersion = "0.1.1", @@ -81,14 +84,20 @@ ParserQuery: | EventVendor = "SentinelOne", EventResultDetails = "Other" | extend - Dvc = coalesce(DvcIpAddr, "SentinelOne"), + Dvc = EventProduct, EventEndTime = EventStartTime, + IpAddr = SrcIpAddr, User = ActorUsername, UpdatedPropertyName = EventSubType, + ActorUserIdType = iff(isnotempty(ActorUserId),"Other",""), + ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId), ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), GroupIdType = iff(isnotempty(GroupId), "UID", ""), GroupNameType = iff(isnotempty(GroupName), "Simple", ""), + GroupType = iff(isnotempty(groupType), "Other", ""), + GroupOriginalType = groupType, TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + TargetUserType = _ASIM_GetUserType(TargetUsername, ""), AdditionalFields = bag_pack( "userScope", userScope, "scopeLevelName", scopeLevelName, @@ -96,8 +105,7 @@ ParserQuery: | "modifiedFields", modifiedFields, "roleName", roleName, "deactivationPeriodInDays", deactivationPeriodInDays, - "descriptionChanged", descriptionChanged, - "groupType", groupType + "descriptionChanged", descriptionChanged ) | project-away *_b, @@ -110,6 +118,7 @@ ParserQuery: | email, group, groupName, + groupType, name, oldDescription, oldRole, @@ -120,10 +129,11 @@ ParserQuery: | scopeName, roleName, modifiedFields, + ModifiedFields, deactivationPeriodInDays, descriptionChanged, - groupType, restOfMessage, + _ResourceId, TenantId, RawData, Computer, diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml new file mode 100644 index 00000000000..329e89c6154 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml @@ -0,0 +1,185 @@ +Parser: + Title: User Management ASIM parser for SentinelOne + Version: '0.1.0' + LastUpdated: Aug 24, 2023 +Product: + Name: SentinelOne +Normalization: + Schema: UserManagement + Version: '0.1.1' +References: +- Title: ASIM UserManagement Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: SentinelOne Documentation +- Link: https://.sentinelone.net/api-doc/overview +Description: | + This ASIM parser supports normalizing SentinelOne logs to the ASIM User Management normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. +ParserName: vimUserManagementSentinelOne +EquivalentBuiltInParser: _Im_UserManagement_SentinelOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: targetusername_has + Type: string + Default: '*' + - Name: actorusername_has + Type: string + Default: '*' + - Name: targetdomain_has + Type: string + Default: '*' + - Name: anydomain_has + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventTypeLookup = datatable ( + activityType_d: real, + EventType: string, + EventOriginalType: string, + EventSubType: string + )[ + 23, "UserCreated", "User Added", "", + 24, "UserModified", "User Modified", "MultipleProperties", + 25, "UserDeleted", "User Deleted", "", + 37, "UserModified", "User modified", "MultipleProperties", + 102, "UserDeleted", "User Deleted", "", + 110, "UserModified", "Enable API Token Generation", "NewPermissions", + 111, "UserModified", "Disable API Token Generation", "PreviousPermissions", + 140, "UserCreated", "Service User creation", "", + 141, "UserModified", "Service User modification", "MultipleProperties", + 142, "UserDeleted", "Service User deletion", "", + 3522, "GroupCreated", "Ranger Deploy - Credential Group Created", "", + 3523, "GroupModified", "Ranger Deploy -Credential Group Edited", "MultipleProperties", + 3524, "GroupDeleted", "Ranger Deploy - Credential Group Deleted", "", + 3710, "PasswordReset", "User Reset Password with Forgot Password from the Login", "", + 3711, "PasswordChanged", "User Changed Their Password", "", + 3715, "PasswordReset", "User Reset Password by Admin Request", "", + 5006, "GroupDeleted", "Group Deleted", "", + 5008, "GroupCreated", "User created a Manual or Pinned Group", "", + 5011, "GroupModified", "Group Policy Reverted", "Newpolicy", + ]; + let parser = ( + starttime:datetime=datetime(null), + endtime:datetime=datetime(null), + targetusername_has:string="*", + actorusername_has:string="", + targetdomain_has:string="*", + anydomain_has:string="*", + disabled:bool=false + ) { + SentinelOne_CL + | where not(disabled) + and event_name_s == "Activities." + and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) + and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011) + and (targetusername_has == "*" or DataFields_s has targetusername_has) + and (actorusername_has == "*" or DataFields_s has actorusername_has) + and targetdomain_has == "*" + and anydomain_has == "*" + | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | parse modifiedFields with 'Modified fields: ' ModifiedFields:string + | parse description_s with * "with id=" id: string "," restOfMessage + | lookup EventTypeLookup on activityType_d + | extend + ActorUsername = iff(activityType_d == 102, "SentinelOne", coalesce(byUser, username, email)), + GroupName = coalesce(group, groupName, name), + TargetUsername = iff(isnotempty(byUser), username, ""), + PreviousPropertyValue = coalesce(oldDescription, oldRole), + NewPropertyValue = coalesce(description, role) + | where (targetusername_has == "*" or TargetUsername has targetusername_has) + and (actorusername_has == "*" or ActorUsername has actorusername_has) + | extend GroupName = iff(GroupName == "null", "", GroupName) + | project-rename + EventStartTime = createdAt_t, + SrcIpAddr = ipAddress, + EventUid = _ItemId, + ActorUserId = id, + GroupId = groupId_s, + EventMessage = primaryDescription_s, + EventOriginalUid = activityUuid_g + | extend + EventCount = int(1), + EventResult = "Success", + DvcAction = "Allowed", + EventSeverity = "Informational", + EventSchema = "UserManagement", + EventSchemaVersion = "0.1.1", + EventProduct = "SentinelOne", + EventVendor = "SentinelOne", + EventResultDetails = "Other" + | extend + Dvc = EventProduct, + EventEndTime = EventStartTime, + IpAddr = SrcIpAddr, + User = ActorUsername, + UpdatedPropertyName = EventSubType, + ActorUserIdType = iff(isnotempty(ActorUserId),"Other",""), + ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), + GroupIdType = iff(isnotempty(GroupId), "UID", ""), + GroupNameType = iff(isnotempty(GroupName), "Simple", ""), + GroupType = iff(isnotempty(groupType), "Other", ""), + GroupOriginalType = groupType, + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + TargetUserType = _ASIM_GetUserType(TargetUsername, ""), + AdditionalFields = bag_pack( + "userScope", userScope, + "scopeLevelName", scopeLevelName, + "scopeName", scopeName, + "modifiedFields", modifiedFields, + "roleName", roleName, + "deactivationPeriodInDays", deactivationPeriodInDays, + "descriptionChanged", descriptionChanged + ) + | project-away + *_b, + *_d, + *_g, + *_s, + *_t, + byUser, + username, + email, + group, + groupName, + groupType, + name, + oldDescription, + oldRole, + description, + role, + userScope, + scopeLevelName, + scopeName, + roleName, + modifiedFields, + ModifiedFields, + deactivationPeriodInDays, + descriptionChanged, + restOfMessage, + _ResourceId, + TenantId, + RawData, + Computer, + MG, + ManagementGroupName, + SourceSystem + }; + parser( + starttime = starttime, + endtime = endtime, + targetusername_has = targetusername_has, + actorusername_has = actorusername_has, + targetdomain_has = targetdomain_has, + anydomain_has = anydomain_has, + disabled=disabled + ) \ No newline at end of file diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv new file mode 100644 index 00000000000..114a38bd4d2 --- /dev/null +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_DataTest.csv @@ -0,0 +1,15 @@ +Result +"(0) Error: 4 invalid value(s) (up to 10 listed) in 32 records (52.46%) for field [EventSubType] of type [Enumerated]: [""MultipleProperties"",""PreviousPermissions"",""NewPermissions"",""Newpolicy""] (Schema:UserManagement)" +"(0) Error: type mismatch for column [SrcIpAddr]. It is currently [string] and should be [IP address] (Schema:UserManagement)" +"(2) Info: Empty value in 29 records (47.54%) in optional field [EventSubType] (Schema:UserManagement)" +"(2) Info: Empty value in 44 records (72.13%) in optional field [ActorUserId] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupIdType] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupId] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupNameType] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupName] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupOriginalType] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupType] (Schema:UserManagement)" +"(2) Info: Empty value in 59 records (96.72%) in optional field [PreviousPropertyValue] (Schema:UserManagement)" +"(2) Info: Empty value in 7 records (11.48%) in optional field [NewPropertyValue] (Schema:UserManagement)" +"(2) Info: Empty value in 8 records (13.11%) in optional field [TargetUserType] (Schema:UserManagement)" +"(2) Info: Empty value in 8 records (13.11%) in optional field [TargetUsername] (Schema:UserManagement)" diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv index 1289c201795..2a84a67791a 100644 --- a/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_ASimUserManagement_SchemaTest.csv @@ -1,41 +1,47 @@ Result -"(2) Info: extra unnormalized column [ActorUserId]" -"(2) Info: extra unnormalized column [ActorUsernameType]" -"(2) Info: extra unnormalized column [ActorUsername]" -"(2) Info: extra unnormalized column [AdditionalFields]" -"(2) Info: extra unnormalized column [DvcHostname]" -"(2) Info: extra unnormalized column [DvcIpAddr]" -"(2) Info: extra unnormalized column [DvcOriginalAction]" -"(2) Info: extra unnormalized column [DvcOs]" -"(2) Info: extra unnormalized column [Dvc]" -"(2) Info: extra unnormalized column [EventCount]" -"(2) Info: extra unnormalized column [EventEndTime]" -"(2) Info: extra unnormalized column [EventMessage]" -"(2) Info: extra unnormalized column [EventOriginalType]" -"(2) Info: extra unnormalized column [EventOriginalUid]" -"(2) Info: extra unnormalized column [EventProductVersion]" -"(2) Info: extra unnormalized column [EventProduct]" -"(2) Info: extra unnormalized column [EventResultDetails]" -"(2) Info: extra unnormalized column [EventResult]" -"(2) Info: extra unnormalized column [EventSchemaVersion]" -"(2) Info: extra unnormalized column [EventSchema]" -"(2) Info: extra unnormalized column [EventSeverity]" -"(2) Info: extra unnormalized column [EventStartTime]" -"(2) Info: extra unnormalized column [EventSubType]" -"(2) Info: extra unnormalized column [EventType]" -"(2) Info: extra unnormalized column [EventUid]" -"(2) Info: extra unnormalized column [EventVendor]" -"(2) Info: extra unnormalized column [GroupIdType]" -"(2) Info: extra unnormalized column [GroupId]" -"(2) Info: extra unnormalized column [GroupNameType]" -"(2) Info: extra unnormalized column [GroupName]" -"(2) Info: extra unnormalized column [Hostname]" -"(2) Info: extra unnormalized column [NewPropertyValue]" -"(2) Info: extra unnormalized column [PreviousPropertyValue]" -"(2) Info: extra unnormalized column [SrcDeviceType]" -"(2) Info: extra unnormalized column [TargetUsernameType]" -"(2) Info: extra unnormalized column [TargetUsername]" +"(0) Error: type mismatch for column [SrcIpAddr]. It is currently string and should be IP address" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcFQDN]" +"(1) Warning: Missing recommended field [DvcHostname]" +"(1) Warning: Missing recommended field [DvcIdType]" +"(1) Warning: Missing recommended field [DvcId]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [SrcDomainType]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(1) Warning: Missing recommended field [SrcHostname]" +"(1) Warning: Missing recommended field [Src]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActiveAppName]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [TargetOriginalUserType]" +"(2) Info: Missing optional field [TargetUserId]" +"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DvcHostname]" "(2) Info: extra unnormalized column [TimeGenerated]" "(2) Info: extra unnormalized column [Type]" -"(2) Info: extra unnormalized column [UpdatedPropertyName]" -"(2) Info: extra unnormalized column [User]" diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_DataTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_DataTest.csv new file mode 100644 index 00000000000..114a38bd4d2 --- /dev/null +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_DataTest.csv @@ -0,0 +1,15 @@ +Result +"(0) Error: 4 invalid value(s) (up to 10 listed) in 32 records (52.46%) for field [EventSubType] of type [Enumerated]: [""MultipleProperties"",""PreviousPermissions"",""NewPermissions"",""Newpolicy""] (Schema:UserManagement)" +"(0) Error: type mismatch for column [SrcIpAddr]. It is currently [string] and should be [IP address] (Schema:UserManagement)" +"(2) Info: Empty value in 29 records (47.54%) in optional field [EventSubType] (Schema:UserManagement)" +"(2) Info: Empty value in 44 records (72.13%) in optional field [ActorUserId] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupIdType] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupId] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupNameType] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupName] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupOriginalType] (Schema:UserManagement)" +"(2) Info: Empty value in 54 records (88.52%) in optional field [GroupType] (Schema:UserManagement)" +"(2) Info: Empty value in 59 records (96.72%) in optional field [PreviousPropertyValue] (Schema:UserManagement)" +"(2) Info: Empty value in 7 records (11.48%) in optional field [NewPropertyValue] (Schema:UserManagement)" +"(2) Info: Empty value in 8 records (13.11%) in optional field [TargetUserType] (Schema:UserManagement)" +"(2) Info: Empty value in 8 records (13.11%) in optional field [TargetUsername] (Schema:UserManagement)" diff --git a/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_SchemaTest.csv b/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_SchemaTest.csv new file mode 100644 index 00000000000..5c8362233ee --- /dev/null +++ b/Parsers/ASimUserManagement/Tests/SentinelOne_vimUserManagement_SchemaTest.csv @@ -0,0 +1,47 @@ +Result +"(0) Error: type mismatch for column [SrcIpAddr]. It is currently string and should be IP address" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcFQDN]" +"(1) Warning: Missing recommended field [DvcHostname]" +"(1) Warning: Missing recommended field [DvcIdType]" +"(1) Warning: Missing recommended field [DvcId]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [SrcDomainType]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(1) Warning: Missing recommended field [SrcHostname]" +"(1) Warning: Missing recommended field [Src]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActiveAppName]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [TargetOriginalUserType]" +"(2) Info: Missing optional field [TargetUserId]" +"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DvcHostname]" +"(2) Info: extra unnormalized column [TimeGenerated]" +"(2) Info: extra unnormalized column [Type]" diff --git a/Sample Data/ASIM/SentinelOne_ASimUserManagement_RawLogs.json b/Sample Data/ASIM/SentinelOne_ASimUserManagement_RawLogs.json new file mode 100644 index 00000000000..ec063fbd321 --- /dev/null +++ b/Sample Data/ASIM/SentinelOne_ASimUserManagement_RawLogs.json @@ -0,0 +1,6350 @@ +[ + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/19/2023, 12:40:04 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "0f81ec00-9e52-48e6-b899-eb3bbeede741", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "78d7744d-2837-40d2-aff4-bede5877836e", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "73ffd9f9-7430-51bf-89fd-275f31272868", + "targetProcessInfo_tgtProcUid": "73ffdf8e-0a44-5079-fd74-243fc15cbe7e", + "sourceParentProcessInfo_storyline": "73ffdf8e-0a44-5079-fd74-243fc15cbe7c", + "sourceParentProcessInfo_uniqueId": "73ffdf8e-0a44-5079-fd74-243fc15cbe7d", + "sourceProcessInfo_storyline": "73ffdf8e-0a33-5079-fd74-243fc15cbe7c", + "sourceProcessInfo_uniqueId": "73ffdf8e-0a22-5079-fd74-243fc15cbe7c", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 23, + "activityUuid": "fb366a5d-1950-4106-80a9-2715c63030d9", + "createdAt [UTC]": "7/19/2023, 12:25:04 PM", + "id": 1732588999478741500, + "primaryDescription": "The management user Nick Man added user Darth as Viewer.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/19/2023, 12:25:04 PM", + "userId": 1732588998690212000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "role": "Viewer", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "Darth" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 9:40:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "AC644457DCBAD901", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "svchost.exe,FrameServer", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "433C0EF580778F52", + "targetProcessInfo_tgtProcUid": "433C0EF580778F53", + "sourceParentProcessInfo_storyline": "433C0EF580778F51", + "sourceParentProcessInfo_uniqueId": "423C0EF580778F51", + "sourceProcessInfo_storyline": "553D0EF580778F51", + "sourceProcessInfo_uniqueId": "543D0EF580778F51", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 37, + "activityUuid": "c8e96690-cfc1-4c30-96dc-74c59d18ed96", + "createdAt [UTC]": "7/25/2023, 9:25:03 AM", + "id": 1736847049504106500, + "primaryDescription": "The management user Nick Man added user Dave to role Viewer in scope Crest Data Systems", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/25/2023, 9:25:03 AM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "role": "Viewer", + "roleName": "Viewer", + "scopeLevel": "Account", + "scopeLevelName": "Crest Data Systems", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "Dave" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 9:40:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 37, + "activityUuid": "5d68c5d5-0693-4f28-ae15-5e1a0ea2bb04", + "createdAt [UTC]": "7/25/2023, 9:26:08 AM", + "id": 1736847596114257700, + "primaryDescription": "The management user Nick Man added user Dave to role Admin in scope Crest Data Systems", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/25/2023, 9:26:08 AM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "role": "Admin", + "roleName": "Admin", + "scopeLevel": "Account", + "scopeLevelName": "Crest Data Systems", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "Dave" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/6/2023, 6:04:55 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 23, + "activityUuid": "5298b51f-599a-4613-9118-87bbd70e6b61", + "createdAt [UTC]": "7/5/2023, 1:12:24 PM", + "id": 1722465966578342000, + "primaryDescription": "The management user NisMan added user jack as Admin.", + "secondaryDescription": "IP address: 1.1.1.2", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/5/2023, 1:12:24 PM", + "userId": 1722465965663983400, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "NisMan", + "fullScopeDetails": "Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site", + "groupName": null, + "ipAddress": "1.1.1.2", + "realUser": null, + "role": "Admin", + "scopeLevel": "Site", + "scopeName": "Default site", + "siteName": "Default site", + "sourceType": "UI", + "userScope": "site", + "username": "jack" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 9:40:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 24, + "activityUuid": "6d73dfa5-3947-43d2-b716-29e849dc3153", + "createdAt [UTC]": "7/25/2023, 9:25:03 AM", + "id": 1736847049755764700, + "primaryDescription": "The management user Nick Man updated the management user Dave.\nModified fields: User scope roles", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/25/2023, 9:25:03 AM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "modifiedFields": "Modified fields: User scope roles", + "realUser": null, + "role": "Viewer", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "Dave" + }, + "description": "Nick Man", + "comments": "Modified fields: User scope roles", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/25/2023, 9:40:03 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 24, + "activityUuid": "5c5e7e13-fd66-4b2d-a28a-1174af876f70", + "createdAt [UTC]": "7/25/2023, 9:26:08 AM", + "id": 1736847596407859200, + "primaryDescription": "The management user Nick Man updated the management user Dave.\nModified fields: User scope roles", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/25/2023, 9:26:08 AM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "modifiedFields": "Modified fields: User scope roles", + "realUser": null, + "role": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "Dave" + }, + "description": "Nick Man", + "comments": "Modified fields: User scope roles", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 11:50:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 110, + "activityUuid": "89b49441-4f83-4e54-91b0-29f02a4a996e", + "createdAt [UTC]": "7/20/2023, 11:39:00 AM", + "id": 1733290588638022100, + "primaryDescription": "The management user Nick Man gave permission to the management user Nirvato generate API tokens.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/20/2023, 11:39:00 AM", + "userId": 1722466127522197200, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "fullScopeDetails": "Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "role": "Admin", + "scopeLevel": "Site", + "scopeName": "Default site", + "siteName": "Default site", + "sourceType": "UI", + "userScope": "site", + "username": "Nirva" + }, + "description": "Nirva", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/21/2023, 7:00:18 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 5006, + "activityUuid": "37b6aca3-6759-4406-9990-9427ff5947ec", + "createdAt [UTC]": "7/21/2023, 6:46:32 AM", + "id": 1733868167914689300, + "primaryDescription": "The management user Nick Man deleted the Manual Group: Test.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/21/2023, 6:46:32 AM", + "userId": 1712986475444465000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Group Test in Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site / Test", + "groupId": 1721525955683466800, + "groupName": "Test", + "groupType": "Manual", + "ipAddress": "1.1.1.1", + "realUser": null, + "scopeLevel": "Group", + "scopeName": "Test", + "siteName": "Default site", + "sourceType": "UI", + "username": "Nick Man" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": 1721525955683466800, + "groupIp": "", + "groupName": "Test", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/6/2023, 12:50:14 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 25, + "activityUuid": "9b9a0977-8483-4f2c-8bba-f85c50f01559", + "createdAt [UTC]": "6/27/2023, 10:24:22 AM", + "id": 1716583181635393300, + "primaryDescription": "The management user NisMan deleted the user Dave.", + "secondaryDescription": "IP address: 1.1.1.2", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "6/27/2023, 10:24:22 AM", + "userId": 1716583004803512600, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "NisMan", + "deactivationPeriodInDays": "90", + "fullScopeDetails": "Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site", + "groupName": null, + "ipAddress": "1.1.1.2", + "realUser": null, + "role": "Viewer", + "scopeLevel": "Site", + "scopeName": "Default site", + "siteName": "Default site", + "sourceType": "UI", + "userScope": "site", + "username": "Dave" + }, + "description": "NisMan", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/19/2023, 12:50:03 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 140, + "activityUuid": "2ad1ba17-d519-4866-b401-67da64e3317a", + "createdAt [UTC]": "7/19/2023, 12:38:17 PM", + "id": 1732595655286628900, + "primaryDescription": "The management user Nick Man added a new Service User Darth with the description Darth to Crest Data Systems with role Admin.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/19/2023, 12:38:17 PM", + "userId": 1732595654439379500, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "description": "Darth", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "roleName": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "username": "Darth" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/19/2023, 12:50:03 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 140, + "activityUuid": "3f33a1f3-9f08-490b-8f94-760a9135e13f", + "createdAt [UTC]": "7/19/2023, 12:39:28 PM", + "id": 1732596251003720700, + "primaryDescription": "The management user Nick Man added a new Service User Darth with the description Darth to Default site with role C-Level.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/19/2023, 12:39:28 PM", + "userId": 1732595654439379500, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "description": "Darth", + "fullScopeDetails": "Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "roleName": "C-Level", + "scopeLevel": "Site", + "scopeName": "Default site", + "siteName": "Default site", + "sourceType": "UI", + "username": "Darth" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/6/2023, 12:50:14 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 5008, + "activityUuid": "327cc7b4-f116-490d-9a0b-53d572cce162", + "createdAt [UTC]": "6/22/2023, 12:44:45 PM", + "id": 1713029962565392400, + "primaryDescription": "The management user Nick Man created the new Manual Group: Crest Data Systems.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "6/22/2023, 12:44:45 PM", + "userId": 1712986475444465000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Group Crest Data Systems in Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site / Crest Data Systems", + "groupId": "1713029962380842894", + "groupName": "Crest Data Systems", + "groupType": "Manual", + "ipAddress": "1.1.1.1", + "realUser": null, + "scopeLevel": "Group", + "scopeName": "Crest Data Systems", + "siteName": "Default site", + "sourceType": "UI", + "username": "Nick Man" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": 1713029962380843000, + "groupIp": "", + "groupName": "Crest Data Systems", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/6/2023, 12:50:14 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 5008, + "activityUuid": "6a5ae272-d4df-4986-a8ec-b1c9c09ef60d", + "createdAt [UTC]": "7/4/2023, 6:04:46 AM", + "id": 1721525955893182000, + "primaryDescription": "The management user Dave created the new Manual Group: Test.", + "secondaryDescription": "IP address: 1.1.1.2", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/4/2023, 6:04:46 AM", + "userId": 1716583470262263000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Group Test in Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site / Test", + "groupId": "1721525955683466807", + "groupName": "Test", + "groupType": "Manual", + "ipAddress": "1.1.1.2", + "realUser": null, + "scopeLevel": "Group", + "scopeName": "Test", + "siteName": "Default site", + "sourceType": "UI", + "username": "Dave" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": 1721525955683466800, + "groupIp": "", + "groupName": "Test", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/19/2023, 12:50:03 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 142, + "activityUuid": "46b211c2-1223-4ff0-9cfc-a3fc7eed4b05", + "createdAt [UTC]": "7/19/2023, 12:39:28 PM", + "id": 1732596250928223200, + "primaryDescription": "The management user Nick Man deleted the Service User Darth from scope Crest Data Systems.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/19/2023, 12:39:28 PM", + "userId": 1732595654439379500, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "description": "Darth", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "username": "Darth" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 10:20:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 5006, + "activityUuid": "a180e2f3-fb7e-44fc-adfe-cbc5d250d9ed", + "createdAt [UTC]": "7/20/2023, 10:03:42 AM", + "id": 1733242623065122800, + "primaryDescription": "The management user Nirvadeleted the Manual Group: Test Group Activity.", + "secondaryDescription": "IP address: 1.1.1.2", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/20/2023, 10:03:42 AM", + "userId": 1722466127522197200, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Group Test Group Activity in Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site / Test Group Activity", + "groupId": 1733236199462385400, + "groupName": "Test Group Activity", + "groupType": "Manual", + "ipAddress": "1.1.1.2", + "realUser": null, + "scopeLevel": "Group", + "scopeName": "Test Group Activity", + "siteName": "Default site", + "sourceType": "UI", + "username": "Nirva" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": 1733236199462385400, + "groupIp": "", + "groupName": "Test Group Activity", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/19/2023, 12:50:03 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 25, + "activityUuid": "eded5a54-86c8-4337-9dff-e3e13a9305f2", + "createdAt [UTC]": "7/19/2023, 12:37:15 PM", + "id": 1732595136375644000, + "primaryDescription": "The management user Nick Man deleted the user Darth.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/19/2023, 12:37:15 PM", + "userId": 1732588998690212000, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "deactivationPeriodInDays": "90", + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "role": "Admin", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "userScope": "account", + "username": "Darth" + }, + "description": "Nick Man", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/19/2023, 12:50:03 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 141, + "activityUuid": "df06ac01-c280-4a06-b3a3-0563c04b7e58", + "createdAt [UTC]": "7/19/2023, 12:38:55 PM", + "id": 1732595970044029400, + "primaryDescription": "The management user Nick Man changed the role of the Service User Darth on scope Crest Data Systems. Previous role: Admin. New role: SOC.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": "", + "siteName": "", + "updatedAt [UTC]": "7/19/2023, 12:38:55 PM", + "userId": 1732595654439379500, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "description": "Darth", + "descriptionChanged": false, + "fullScopeDetails": "Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems", + "groupName": null, + "ipAddress": "1.1.1.1", + "oldDescription": "N/A", + "oldRole": "Admin", + "realUser": null, + "role": "SOC", + "scopeLevel": "Account", + "scopeName": "Crest Data Systems", + "siteName": null, + "sourceType": "UI", + "username": "Darth" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/19/2023, 1:00:02 PM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 141, + "activityUuid": "f4804b82-7729-499d-9157-f1ea3aa7e361", + "createdAt [UTC]": "7/19/2023, 12:41:17 PM", + "id": 1732597165974508500, + "primaryDescription": "The management user Nick Man changed the role of the Service User Darth on scope Default site. Previous role: C-Level. New role: User Test.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/19/2023, 12:41:17 PM", + "userId": 1732595654439379500, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "description": "Darth", + "descriptionChanged": false, + "fullScopeDetails": "Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site", + "groupName": null, + "ipAddress": "1.1.1.1", + "oldDescription": "N/A", + "oldRole": "C-Level", + "realUser": null, + "role": "User Test", + "scopeLevel": "Site", + "scopeName": "Default site", + "siteName": "Default site", + "sourceType": "UI", + "username": "Darth" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 11:50:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 111, + "activityUuid": "9cce98f3-b039-4ba0-a8f2-e0105b688546", + "createdAt [UTC]": "7/20/2023, 11:38:42 AM", + "id": 1733290437886321200, + "primaryDescription": "The management user Nick Man blocked the management user Nirvafrom generating API tokens.", + "secondaryDescription": "IP address: 1.1.1.1", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/20/2023, 11:38:42 AM", + "userId": 1722466127522197200, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "byUser": "Nick Man", + "fullScopeDetails": "Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site", + "groupName": null, + "ipAddress": "1.1.1.1", + "realUser": null, + "role": "Admin", + "scopeLevel": "Site", + "scopeName": "Default site", + "siteName": "Default site", + "sourceType": "UI", + "userScope": "site", + "username": "Nirva" + }, + "description": "Nirva", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": "", + "groupIp": "", + "groupName": "", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "7/20/2023, 10:20:04 AM", + "Computer": "", + "RawData": "", + "alertInfo_indicatorDescription": "", + "alertInfo_indicatorName": "", + "targetProcessInfo_tgtFileOldPath": "", + "alertInfo_indicatorCategory": "", + "alertInfo_registryOldValue": "", + "alertInfo_dstIp": "", + "alertInfo_dstPort": "", + "alertInfo_netEventDirection": "", + "alertInfo_srcIp": "", + "alertInfo_srcPort": "", + "containerInfo_id": "", + "targetProcessInfo_tgtFileId": "", + "alertInfo_registryOldValueType": "", + "alertInfo_dnsRequest": "", + "alertInfo_dnsResponse": "", + "alertInfo_registryKeyPath": "", + "alertInfo_registryPath": "", + "alertInfo_registryValue": "", + "ruleInfo_description": "", + "alertInfo_loginAccountDomain": "", + "alertInfo_loginAccountSid": "", + "alertInfo_loginIsAdministratorEquivalent": "", + "alertInfo_loginIsSuccessful": "", + "alertInfo_loginType": "", + "alertInfo_loginsUserName": "", + "alertInfo_srcMachineIp": "", + "targetProcessInfo_tgtProcCmdLine": "", + "targetProcessInfo_tgtProcImagePath": "", + "targetProcessInfo_tgtProcName": "", + "targetProcessInfo_tgtProcPid": "", + "targetProcessInfo_tgtProcSignedStatus": "", + "targetProcessInfo_tgtProcStorylineId": "", + "targetProcessInfo_tgtProcUid": "", + "sourceParentProcessInfo_storyline": "", + "sourceParentProcessInfo_uniqueId": "", + "sourceProcessInfo_storyline": "", + "sourceProcessInfo_uniqueId": "", + "agentDetectionInfo_machineType": "", + "agentDetectionInfo_name": "", + "agentDetectionInfo_osFamily": "", + "agentDetectionInfo_osName": "", + "agentDetectionInfo_osRevision": "", + "agentDetectionInfo_uuid": "", + "agentDetectionInfo_version": "", + "agentRealtimeInfo_id": "", + "agentRealtimeInfo_infected_b": "", + "agentRealtimeInfo_isActive_b": "", + "agentRealtimeInfo_isDecommissioned_b": "", + "agentRealtimeInfo_machineType": "", + "agentRealtimeInfo_name": "", + "agentRealtimeInfo_os": "", + "agentRealtimeInfo_uuid": "", + "alertInfo_alertId": "", + "alertInfo_analystVerdict": "", + "alertInfo_createdAt [UTC]": "", + "alertInfo_dvEventId": "", + "alertInfo_eventType": "", + "alertInfo_hitType": "", + "alertInfo_incidentStatus": "", + "alertInfo_isEdr_b": "", + "alertInfo_reportedAt [UTC]": "", + "alertInfo_source": "", + "alertInfo_updatedAt [UTC]": "", + "ruleInfo_id": "", + "ruleInfo_name": "", + "ruleInfo_queryLang": "", + "ruleInfo_queryType": "", + "ruleInfo_s1ql": "", + "ruleInfo_scopeLevel": "", + "ruleInfo_severity": "", + "ruleInfo_treatAsThreat": "", + "sourceParentProcessInfo_commandline": "", + "sourceParentProcessInfo_fileHashMd5": "", + "sourceParentProcessInfo_fileHashSha1": "", + "sourceParentProcessInfo_fileHashSha256": "", + "sourceParentProcessInfo_filePath": "", + "sourceParentProcessInfo_fileSignerIdentity": "", + "sourceParentProcessInfo_integrityLevel": "", + "sourceParentProcessInfo_name": "", + "sourceParentProcessInfo_pid": "", + "sourceParentProcessInfo_pidStarttime [UTC]": "", + "sourceParentProcessInfo_subsystem": "", + "sourceParentProcessInfo_user": "", + "sourceProcessInfo_commandline": "", + "sourceProcessInfo_fileHashMd5": "", + "sourceProcessInfo_fileHashSha1": "", + "sourceProcessInfo_fileHashSha256": "", + "sourceProcessInfo_filePath": "", + "sourceProcessInfo_fileSignerIdentity": "", + "sourceProcessInfo_integrityLevel": "", + "sourceProcessInfo_name": "", + "sourceProcessInfo_pid": "", + "sourceProcessInfo_pidStarttime [UTC]": "", + "sourceProcessInfo_subsystem": "", + "sourceProcessInfo_user": "", + "targetProcessInfo_tgtFileCreatedAt [UTC]": "", + "targetProcessInfo_tgtFileHashSha1": "", + "targetProcessInfo_tgtFileHashSha256": "", + "targetProcessInfo_tgtFileIsSigned": "", + "targetProcessInfo_tgtFileModifiedAt [UTC]": "", + "targetProcessInfo_tgtFilePath": "", + "targetProcessInfo_tgtProcIntegrityLevel": "", + "targetProcessInfo_tgtProcessStartTime [UTC]": "", + "agentUpdatedVersion": "", + "agentId": "", + "hash": "", + "osFamily": "", + "threatId": "", + "creator": "", + "creatorId": "", + "inherits_b": "", + "isDefault_b": "", + "name": "", + "registrationToken": "", + "totalAgents": "", + "type": "", + "agentDetectionInfo_accountId": "", + "agentDetectionInfo_accountName": "", + "agentDetectionInfo_agentDetectionState": "", + "agentDetectionInfo_agentDomain": "", + "agentDetectionInfo_agentIpV4": "", + "agentDetectionInfo_agentIpV6": "", + "agentDetectionInfo_agentLastLoggedInUserName": "", + "agentDetectionInfo_agentMitigationMode": "", + "agentDetectionInfo_agentOsName": "", + "agentDetectionInfo_agentOsRevision": "", + "agentDetectionInfo_agentRegisteredAt [UTC]": "", + "agentDetectionInfo_agentUuid": "", + "agentDetectionInfo_agentVersion": "", + "agentDetectionInfo_externalIp": "", + "agentDetectionInfo_groupId": "", + "agentDetectionInfo_groupName": "", + "agentDetectionInfo_siteId": "", + "agentDetectionInfo_siteName": "", + "agentRealtimeInfo_accountId": "", + "agentRealtimeInfo_accountName": "", + "agentRealtimeInfo_activeThreats": "", + "agentRealtimeInfo_agentComputerName": "", + "agentRealtimeInfo_agentDomain": "", + "agentRealtimeInfo_agentId": "", + "agentRealtimeInfo_agentInfected_b": "", + "agentRealtimeInfo_agentIsActive_b": "", + "agentRealtimeInfo_agentIsDecommissioned_b": "", + "agentRealtimeInfo_agentMachineType": "", + "agentRealtimeInfo_agentMitigationMode": "", + "agentRealtimeInfo_agentNetworkStatus": "", + "agentRealtimeInfo_agentOsName": "", + "agentRealtimeInfo_agentOsRevision": "", + "agentRealtimeInfo_agentOsType": "", + "agentRealtimeInfo_agentUuid": "", + "agentRealtimeInfo_agentVersion": "", + "agentRealtimeInfo_groupId": "", + "agentRealtimeInfo_groupName": "", + "agentRealtimeInfo_networkInterfaces": "", + "agentRealtimeInfo_operationalState": "", + "agentRealtimeInfo_rebootRequired_b": "", + "agentRealtimeInfo_scanFinishedAt [UTC]": "", + "agentRealtimeInfo_scanStartedAt [UTC]": "", + "agentRealtimeInfo_scanStatus": "", + "agentRealtimeInfo_siteId": "", + "agentRealtimeInfo_siteName": "", + "agentRealtimeInfo_userActionsNeeded": "", + "indicators": "", + "mitigationStatus": "", + "threatInfo_analystVerdict": "", + "threatInfo_analystVerdictDescription": "", + "threatInfo_automaticallyResolved_b": "", + "threatInfo_certificateId": "", + "threatInfo_classification": "", + "threatInfo_classificationSource": "", + "threatInfo_cloudFilesHashVerdict": "", + "threatInfo_collectionId": "", + "threatInfo_confidenceLevel": "", + "threatInfo_createdAt [UTC]": "", + "threatInfo_detectionEngines": "", + "threatInfo_detectionType": "", + "threatInfo_engines": "", + "threatInfo_externalTicketExists_b": "", + "threatInfo_failedActions_b": "", + "threatInfo_fileExtension": "", + "threatInfo_fileExtensionType": "", + "threatInfo_filePath": "", + "threatInfo_fileSize": "", + "threatInfo_fileVerificationType": "", + "threatInfo_identifiedAt [UTC]": "", + "threatInfo_incidentStatus": "", + "threatInfo_incidentStatusDescription": "", + "threatInfo_initiatedBy": "", + "threatInfo_initiatedByDescription": "", + "threatInfo_isFileless_b": "", + "threatInfo_isValidCertificate_b": "", + "threatInfo_mitigatedPreemptively_b": "", + "threatInfo_mitigationStatus": "", + "threatInfo_mitigationStatusDescription": "", + "threatInfo_originatorProcess": "", + "threatInfo_pendingActions_b": "", + "threatInfo_processUser": "", + "threatInfo_publisherName": "", + "threatInfo_reachedarthentsLimit_b": "", + "threatInfo_rebootRequired_b": "", + "threatInfo_sha1": "", + "threatInfo_storyline": "", + "threatInfo_threatId": "", + "threatInfo_threatName": "", + "threatInfo_updatedAt [UTC]": "", + "whiteningOptions": "", + "threatInfo_maliciousProcessArguments": "", + "accountId": 1712500237934148900, + "accountName": "Crest Data Systems", + "activityType": 5011, + "activityUuid": "1b86a2ea-9f84-4e5b-a918-a521b20d8f09", + "createdAt [UTC]": "7/20/2023, 10:07:15 AM", + "id": 1733244408404449300, + "primaryDescription": "The management user Nirvareverted the policy of Group Test Pinned group to its Site policy.", + "secondaryDescription": "IP address: 1.1.1.2", + "siteId": 1712500242422055200, + "siteName": "Default site", + "updatedAt [UTC]": "7/20/2023, 10:07:14 AM", + "userId": 1722466127522197200, + "event_name": "Activities.", + "DataFields": { + "accountName": "Crest Data Systems", + "fullScopeDetails": "Group Test Pinned group in Site Default site of Account Crest Data Systems", + "fullScopeDetailsPath": "Global / Crest Data Systems / Default site / Test Pinned group", + "groupId": "1733241822456258550", + "groupName": "Test Pinned group", + "groupType": "Pinned", + "ipAddress": "1.1.1.2", + "realUser": null, + "scopeLevel": "Group", + "scopeName": "Test Pinned group", + "siteName": "Default site", + "sourceType": "UI", + "username": "Nirva" + }, + "description": "", + "comments": "", + "activeDirectory_computerMemberOf": "", + "activeDirectory_lastUserMemberOf": "", + "activeThreats": "", + "agentVersion": "", + "allowRemoteShell_b": "", + "appsVulnerabilityStatus": "", + "computerName": "", + "consoleMigrationStatus": "", + "coreCount": "", + "cpuCount": "", + "cpuId": "", + "detectionState": "", + "domain": "", + "encryptedApplications_b": "", + "externalId": "", + "externalIp": "", + "firewallEnabled_b": "", + "firstFullModeTime [UTC]": "", + "fullDiskScanLastUpdatedAt [UTC]": "", + "groupId": 1733241822456258600, + "groupIp": "", + "groupName": "Test Pinned group", + "inRemoteShellSession_b": "", + "infected_b": "", + "installerType": "", + "isActive_b": "", + "isDecommissioned_b": "", + "isPendingUninstall_b": "", + "isUninstalled_b": "", + "isUpToDate_b": "", + "lastActiveDate [UTC]": "", + "lastIpToMgmt": "", + "lastLoggedInUserName": "", + "licenseKey": "", + "locationEnabled_b": "", + "locationType": "", + "locations": "", + "machineType": "", + "mitigationMode": "", + "mitigationModeSuspicious": "", + "modelName": "", + "networkInterfaces": "", + "networkQuarantineEnabled_b": "", + "networkStatus": "", + "operationalState": "", + "osArch": "", + "osName": "", + "osRevision": "", + "osStartTime [UTC]": "", + "osType": "", + "rangerStatus": "", + "rangerVersion": "", + "registeredAt [UTC]": "", + "remoteProfilingState": "", + "scanFinishedAt [UTC]": "", + "scanStartedAt [UTC]": "", + "scanStatus": "", + "serialNumber": "", + "showAlertIcon_b": "", + "tags_sentinelone": "", + "threatRebootRequired_b": "", + "totalMemory": "", + "userActionsNeeded": "", + "uuid": "", + "osUsername": "", + "scanAbortedAt [UTC]": "", + "activeDirectory_computerDistinguishedName": "", + "activeDirectory_lastUserDistinguishedName": "", + "Type": "SentinelOne_CL", + "_ResourceId": "" + } +] \ No newline at end of file diff --git a/Sample Data/ASIM/SentinelOne_CL_Schema.csv b/Sample Data/ASIM/SentinelOne_CL_Schema.csv index 7432410acb8..454070d3e80 100644 --- a/Sample Data/ASIM/SentinelOne_CL_Schema.csv +++ b/Sample Data/ASIM/SentinelOne_CL_Schema.csv @@ -310,4 +310,5 @@ RawData,6,"System.String",string "activeDirectory_computerDistinguishedName_s",308,"System.String",string "activeDirectory_lastUserDistinguishedName_s",309,"System.String",string Type,310,"System.String",string -"_ResourceId",311,"System.String",string +"_ResourceId",311,"System.String", +"_ItemId",312,"System.String",string