Skip to content

Commit

Permalink
Merge pull request #8669 from jayeshprajapaticrest/SentinelOneProcess
Browse files Browse the repository at this point in the history 
ASIM Process Event schema parser with its sample and test data for SentinelOne
  • Loading branch information
@v-atulyadav
v-atulyadav authored Sep 27, 2023
2 parents 9791afc + d7c67f2 commit e1e09d0
Show file tree
Hide file tree
Showing 12 changed files with 6,763 additions and 3 deletions.
153 changes: 153 additions & 0 deletions Parsers/ASimProcessEvent/Parsers/ASimProcessCreateSentinelOne.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
Parser:
Title: Process Create ASIM parser for SentinelOne
Version: '0.1.0'
LastUpdated: Sep 18, 2023
Product:
Name: SentinelOne
Normalization:
Schema: ProcessEvent
Version: '0.1.4'
References:
- Title: ASIM ProcessEvent Schema
Link: https://aka.ms/ASimProcessEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: SentinelOne Documentation
- Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
Description: |
This ASIM parser supports normalizing SentinelOne logs to the ASIM Process Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
ParserName: ASimProcessCreateSentinelOne
EquivalentBuiltInParser: _ASim_ProcessCreate_SentinelOne
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let ThreatConfidenceLookup_undefined = datatable(
alertInfo_analystVerdict_s: string,
ThreatConfidence_undefined: int
)
[
"FALSE_POSITIVE", 5,
"Undefined", 15,
"SUSPICIOUS", 25,
"TRUE_POSITIVE", 33
];
let ThreatConfidenceLookup_suspicious = datatable(
alertInfo_analystVerdict_s: string,
ThreatConfidence_suspicious: int
)
[
"FALSE_POSITIVE", 40,
"Undefined", 50,
"SUSPICIOUS", 60,
"TRUE_POSITIVE", 67
];
let ThreatConfidenceLookup_malicious = datatable(
alertInfo_analystVerdict_s: string,
ThreatConfidence_malicious: int
)
[
"FALSE_POSITIVE", 75,
"Undefined", 80,
"SUSPICIOUS", 90,
"TRUE_POSITIVE", 100
];
let parser = (disabled: bool=false) {
let alldata = SentinelOne_CL
| where not(disabled)
and event_name_s == "Alerts."
and alertInfo_eventType_s == "PROCESSCREATION";
let undefineddata = alldata
| where ruleInfo_treatAsThreat_s == "UNDEFINED"
| lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;
let suspiciousdata = alldata
| where ruleInfo_treatAsThreat_s == "Suspicious"
| lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;
let maaliciousdata = alldata
| where ruleInfo_treatAsThreat_s == "Malicious"
| lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;
union undefineddata, suspiciousdata, maaliciousdata
| extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)
| project-rename
DvcId = agentDetectionInfo_uuid_g,
EventStartTime = sourceProcessInfo_pidStarttime_t,
TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,
TargetProcessId = targetProcessInfo_tgtProcPid_s,
TargetProcessName = targetProcessInfo_tgtProcName_s,
EventUid = _ItemId,
TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,
ActingProcessName = sourceProcessInfo_name_s,
ParentProcessName = sourceParentProcessInfo_name_s,
ActingProcessCommandLine = sourceProcessInfo_commandline_s,
ActingProcessGuid = sourceProcessInfo_uniqueId_g,
ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,
ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,
ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,
ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,
DvcOs = agentDetectionInfo_osName_s,
DvcOsVersion = agentDetectionInfo_osRevision_s,
TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,
EventOriginalType = alertInfo_eventType_s,
EventOriginalSeverity = ruleInfo_severity_s,
EventOriginalUid = alertInfo_dvEventId_s,
RuleName = ruleInfo_name_s,
ThreatOriginalConfidence = ruleInfo_treatAsThreat_s
| invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')
| extend
ActingProcessId = sourceProcessInfo_pid_s,
ActorUsername = sourceProcessInfo_user_s,
TargetUsername = sourceProcessInfo_user_s,
Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),
ParentProcessId = sourceProcessInfo_pid_s,
TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,
TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,
ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, "-", ""),
ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, "-", ""),
EventSeverity = iff(EventOriginalSeverity == "Critical", "High", EventOriginalSeverity)
| extend
EventCount = int(1),
EventProduct = "SentinelOne",
EventResult = "Success",
DvcAction = "Allowed",
EventSchemaVersion = "0.1.4",
EventType = "ProcessCreated",
EventVendor = "SentinelOne",
EventSchema = "ProcessEvent"
| extend
Dvc = DvcId,
EventEndTime = EventStartTime,
User = TargetUsername,
ActingProcessCreationTime = EventStartTime,
CommandLine = TargetProcessCommandLine,
Process = TargetProcessName,
Rule = RuleName
| extend
HashType = case(
isnotempty(Hash) and isnotempty(TargetProcessSHA256),
"TargetProcessSHA256",
isnotempty(Hash) and isnotempty(TargetProcessSHA1),
"TargetProcessSHA1",
""
),
TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
TargetUserType = _ASIM_GetUserType(TargetUsername, ""),
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
ActorUserType = _ASIM_GetUserType(ActorUsername, "")
| project-away
*_d,
*_s,
*_g,
*_t,
*_b,
_ResourceId,
TenantId,
RawData,
Computer,
MG,
ManagementGroupName,
SourceSystem,
ThreatConfidence_*
};
parser(disabled=disabled)
4 changes: 3 additions & 1 deletion Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Parsers:
- _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents
- _ASim_ProcessEvent_CreateMicrosoftWindowsEvents
- _ASim_ProcessEvent_MD4IoT
- _ASim_ProcessEvent_CreateSentinelOne

ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
Expand All @@ -44,4 +45,5 @@ ParserQuery: |
ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),
ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),
ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),
ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) ))
ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),
ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) ))
4 changes: 3 additions & 1 deletion Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ Parsers:
- _ASim_ProcessEvent_CreateLinuxSysmon
- _ASim_ProcessEvent_CreateMicrosoftWindowsEvents
- _ASim_ProcessEvent_MD4IoT
- _ASim_ProcessEvent_CreateSentinelOne

ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
Expand All @@ -35,4 +36,5 @@ ParserQuery: |
ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),
ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),
ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),
ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) ))
ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),
ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) ))
94 changes: 94 additions & 0 deletions Parsers/ASimProcessEvent/Parsers/imProcess.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
Parser:
Title: Process Event ASIM parser
Version: '0.1.1'
LastUpdated: Aug 28, 2023
Product:
Name: Source Agnostic
Normalization:
Schema: ProcessEvent
Version: '0.1.0'
References:
- Title: ASIM Process Schema
Link: https://aka.ms/ASimProcessEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing process event logs from all supported sources to the ASIM ProcessEvent normalized schema.
ParserName: imProcess
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: commandline_has_any
Type: dynamic
Default: dynamic([])
- Name: commandline_has_all
Type: dynamic
Default: dynamic([])
- Name: commandline_has_any_ip_prefix
Type: dynamic
Default: dynamic([])
- Name: actingprocess_has_any
Type: dynamic
Default: dynamic([])
- Name: targetprocess_has_any
Type: dynamic
Default: dynamic([])
- Name: parentprocess_has_any
Type: dynamic
Default: dynamic([])
- Name: targetusername_has
Type: string
Default: '*'
- Name: actorusername_has
Type: string
Default: '*'
- Name: dvcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dvchostname_has_any
Type: dynamic
Default: dynamic([])
- Name: eventtype
Type: string
Default: '*'
- Name: hashes_has_any
Type: dynamic
Default: dynamic([])
ParserQuery: |
let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', actorusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([])){
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
let imProcessBuiltInDisabled=toscalar('ExcludeimProcessBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));
union isfuzzy=true
vimProcessEmpty
, vimProcessEventMicrosoft365D ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) )))
, vimProcessCreateMicrosoftSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) )))
, vimProcessTerminateMicrosoftSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )))
, vimProcessCreateMicrosoftSecurityEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )))
, vimProcessTerminateMicrosoftSecurityEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )))
, vimProcessCreateLinuxSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) )))
, vimProcessTerminateLinuxSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) )))
, vimProcessTerminateMicrosoftWindowsEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )))
, vimProcessCreateMicrosoftWindowsEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )))
, vimProcessEventMD4IoT ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) )))
, vimProcessCreateSentinelOne ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) )))
};
Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any)
EquivalentBuiltInParser: _Im_Process
Parsers:
- _Im_Process_Empty
- _Im_ProcessEvent_Microsoft365D
- _Im_ProcessCreate_MicrosoftSysmon
- _Im_ProcessTerminate_MicrosoftSysmon
- _Im_ProcessCreate_MicrosoftSecurityEvents
- _Im_ProcessTerminate_MicrosoftSecurityEvents
- _Im_ProcessCreate_LinuxSysmon
- _Im_ProcessTerminate_LinuxSysmon
- _Im_ProcessTerminate_MicrosoftWindowsEvents
- _Im_ProcessCreate_MicrosoftWindowsEvents
- _Im_ProcessCreate_MD4IoT
- _Im_ProcessCreate_SentinelOne
Loading

0 comments on commit e1e09d0

Please sign in to comment.