From 813613c12db6fdbd53d6965c719bf8f79b4a887e Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Tue, 26 Nov 2024 11:31:54 +0200 Subject: [PATCH 01/22] adding solution SentinelOne --- .../Data Connectors/SentinelOne_ccp/DCR.json | 688 +++++ .../SentinelOne_ccp/PollerConfig.json | 338 +++ .../SentinelOne_ccp/connectorDefinition.json | 164 + .../SentinelOne_ccp/solutionMetadata.json | 28 + .../SentinelOne_ccp/table - Activities.json | 130 + .../SentinelOne_ccp/table - Agents.json | 360 +++ .../SentinelOne_ccp/table - Alerts.json | 60 + .../SentinelOne_ccp/table - Groups.json | 95 + .../SentinelOne_ccp/table - Threats.json | 250 ++ .../Data/Solution_SentinelOne.json | 84 +- Solutions/SentinelOne/Package/3.0.3.zip | Bin 0 -> 30963 bytes .../Package/createUiDefinition.json | 9 +- .../SentinelOne/Package/mainTemplate.json | 2682 +++++++++++++++-- .../SentinelOne/Package/testParameters.json | 14 + .../SentinelOne/Parsers/SentinelOne.yaml | 898 ++++-- Solutions/SentinelOne/Parsers/newParser.txt | 633 ++++ Solutions/SentinelOne/SolutionMetadata.json | 5 +- 17 files changed, 5830 insertions(+), 608 deletions(-) create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/DCR.json create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/PollerConfig.json create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/solutionMetadata.json create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Activities.json create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Agents.json create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Alerts.json create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Groups.json create mode 100644 Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Threats.json create mode 100644 Solutions/SentinelOne/Package/3.0.3.zip create mode 100644 Solutions/SentinelOne/Parsers/newParser.txt diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/DCR.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/DCR.json new file mode 100644 index 00000000000..7901f698342 --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/DCR.json @@ -0,0 +1,688 @@ +{ + "name": "SentinelOneActivitiesDCR", + "apiVersion": "2021-09-01-preview", + "location": "[parameters('workspace-location')]", + "type": "Microsoft.Insights/dataCollectionRules", + "properties": { + "streamDeclarations": { + "Custom-SentinelOneActivities_API": { + "columns": [ + { + "name": "agentUpdatedVersion", + "type": "string", + "description": "The version of the agent that was updated." + }, + { + "name": "userId", + "type": "string", + "description": "The unique identifier for the user." + }, + { + "name": "threatId", + "type": "string", + "description": "The unique identifier for the threat." + }, + { + "name": "primaryDescription", + "type": "string", + "description": "The primary description of the event." + }, + { + "name": "secondaryDescription", + "type": "string", + "description": "The secondary description of the event." + }, + { + "name": "id", + "type": "string", + "description": "The unique identifier for the record." + }, + { + "name": "groupId", + "type": "string", + "description": "The unique identifier for the group." + }, + { + "name": "createdAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was created." + }, + { + "name": "accountName", + "type": "string", + "description": "The name of the account associated with the event." + }, + { + "name": "data", + "type": "string", + "description": "Activity metadata." + }, + { + "name": "agentId", + "type": "string", + "description": "The unique identifier for the agent." + }, + { + "name": "hash", + "type": "string", + "description": "The hash associated with the event." + }, + { + "name": "updatedAt", + "type": "string", + "description": "The timestamp (UTC) when the record was last updated." + }, + { + "name": "description", + "type": "string", + "description": "The description of the event." + }, + { + "name": "activityUuid", + "type": "string", + "description": "The UUID of the activity associated with the event." + }, + { + "name": "siteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "activityType", + "type": "real", + "description": "The type of activity represented by an integer." + }, + { + "name": "siteName", + "type": "string", + "description": "The name of the site associated with the event." + }, + { + "name": "accountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "osFamily", + "type": "string", + "description": "The operating system family, such as macOS." + }, + { + "name": "groupName", + "type": "string", + "description": "The name of the group associated with the event." + }, + { + "name": "comments", + "type": "string", + "description": "Any comments associated with the event." + } + ] + }, + "Custom-SentinelOneAgents_API": { + "columns": [ + { + "name": "uuid", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "mitigationMode", + "type": "string", + "description": "The mitigation mode applied." + }, + { + "name": "networkStatus", + "type": "string", + "description": "The network status of the object." + }, + { + "name": "installerType", + "type": "string", + "description": "The type of installer used." + }, + { + "name": "mitigationModeSuspicious", + "type": "string", + "description": "The suspicious mitigation mode applied." + }, + { + "name": "isPendingUninstall", + "type": "boolean", + "description": "Indicates whether the object is pending uninstallation." + }, + { + "name": "inRemoteShellSession", + "type": "boolean", + "description": "Indicates whether the object is in a remote shell session." + }, + { + "name": "lastLoggedInUserName", + "type": "string", + "description": "The username of the last logged-in user." + }, + { + "name": "osRevision", + "type": "string", + "description": "The OS revision." + }, + { + "name": "osArch", + "type": "string", + "description": "The OS architecture." + }, + { + "name": "id", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "computerName", + "type": "string", + "description": "The name of the computer." + }, + { + "name": "totalMemory", + "type": "real", + "description": "The total memory available in MB." + }, + { + "name": "createdAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was created." + }, + { + "name": "groupId", + "type": "string", + "description": "The unique identifier for the group." + }, + { + "name": "lastActiveDate", + "type": "string", + "description": "The timestamp (UTC) when the object was last active." + }, + { + "name": "fullDiskScanLastUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the full disk scan was last updated." + }, + { + "name": "allowRemoteShell", + "type": "boolean", + "description": "Indicates whether remote shell is allowed." + }, + { + "name": "rangerVersion", + "type": "string", + "description": "The version of the ranger." + }, + { + "name": "accountName", + "type": "string", + "description": "The account name." + }, + { + "name": "scanStatus", + "type": "string", + "description": "The scan status of the object." + }, + { + "name": "domain", + "type": "string", + "description": "The domain of the object." + }, + { + "name": "missingPermissions", + "type": "string", + "description": "Details of the missing permissions." + }, + { + "name": "isActive", + "type": "boolean", + "description": "Indicates whether the object is active." + }, + { + "name": "groupIp", + "type": "string", + "description": "The IP address of the group." + }, + { + "name": "threatRebootRequired", + "type": "boolean", + "description": "Indicates whether a reboot is required due to a threat." + }, + { + "name": "groupUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the group was last updated." + }, + { + "name": "externalId", + "type": "string", + "description": "The external identifier associated with the object." + }, + { + "name": "machineType", + "type": "string", + "description": "The type of machine." + }, + { + "name": "registeredAt", + "type": "string", + "description": "The timestamp (UTC) when the object was registered." + }, + { + "name": "appsVulnerabilityStatus", + "type": "string", + "description": "The vulnerability status of the applications." + }, + { + "name": "coreCount", + "type": "real", + "description": "The number of CPU cores." + }, + { + "name": "locations", + "type": "string", + "description": "The locations associated with the object." + }, + { + "name": "scanFinishedAt", + "type": "string", + "description": "The timestamp (UTC) when the scan was finished." + }, + { + "name": "updatedAt", + "type": "string", + "description": "The timestamp (UTC) when the object was last updated." + }, + { + "name": "externalIp", + "type": "string", + "description": "The external IP address of the object." + }, + { + "name": "locationType", + "type": "string", + "description": "The type of location." + }, + { + "name": "policyUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the policy was last updated." + }, + { + "name": "isDecommissioned", + "type": "boolean", + "description": "Indicates whether the object is decommissioned." + }, + { + "name": "cpuId", + "type": "string", + "description": "The identifier of the CPU." + }, + { + "name": "networkInterfaces", + "type": "string", + "description": "Details of the network interfaces." + }, + { + "name": "isUninstalled", + "type": "boolean", + "description": "Indicates whether the object is uninstalled." + }, + { + "name": "activeDirectory", + "type": "string", + "description": "Details about the active directory." + }, + { + "name": "scanStartedAt", + "type": "string", + "description": "The timestamp (UTC) when the scan was started." + }, + { + "name": "rangerStatus", + "type": "string", + "description": "The status of the ranger." + }, + { + "name": "siteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "agentVersion", + "type": "string", + "description": "The version of the agent." + }, + { + "name": "osUsername", + "type": "string", + "description": "The username associated with the operating system." + }, + { + "name": "encryptedApplications", + "type": "boolean", + "description": "Indicates whether the applications are encrypted." + }, + { + "name": "lastIpToMgmt", + "type": "string", + "description": "The last IP address used for management." + }, + { + "name": "cpuCount", + "type": "real", + "description": "The number of CPUs." + }, + { + "name": "scanAbortedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the scan was aborted." + }, + { + "name": "siteName", + "type": "string", + "description": "The name of the site." + }, + { + "name": "activeThreats", + "type": "real", + "description": "The number of active threats." + }, + { + "name": "infected", + "type": "boolean", + "description": "Indicates whether the object is infected." + }, + { + "name": "consoleMigrationStatus", + "type": "string", + "description": "The status of the console migration." + }, + { + "name": "osType", + "type": "string", + "description": "The type of operating system." + }, + { + "name": "accountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "groupName", + "type": "string", + "description": "The name of the group." + }, + { + "name": "osName", + "type": "string", + "description": "The name of the operating system." + }, + { + "name": "isUpToDate", + "type": "boolean", + "description": "Indicates whether the object is up to date." + }, + { + "name": "licenseKey", + "type": "string", + "description": "The license key associated with the object." + }, + { + "name": "userActionsNeeded", + "type": "string", + "description": "Details of the user actions needed." + }, + { + "name": "modelName", + "type": "string", + "description": "The model name of the object." + }, + { + "name": "networkQuarantineEnabled", + "type": "boolean", + "description": "Is Network Quarantine Enabled on the device" + }, + { + "name": "operationalStateExpiration", + "type": "string", + "description": "Agent operational state." + }, + { + "name": "remoteProfilingState", + "type": "string", + "description": "Agent remote profiling state." + }, + { + "name": "osStartTime", + "type":"string", + "description": "The Start time of the os." + } + ] + }, + "Custom-SentinelOneAlerts_API": { + "columns": [ + { + "name": "sourceProcessInfo", + "type": "string", + "description": "Information about the source process." + }, + { + "name": "alertInfo", + "type": "string", + "description": "Details about the alert." + }, + { + "name": "agentDetectionInfo", + "type": "string", + "description": "Detection information related to the agent." + }, + { + "name": "ruleInfo", + "type": "string", + "description": "Information regarding the applied rule." + }, + { + "name": "containerInfo", + "type": "string", + "description": "Information about the container." + }, + { + "name": "sourceParentProcessInfo", + "type": "string", + "description": "Information about the parent process of the source." + }, + { + "name": "targetProcessInfo", + "type": "string", + "description": "Details regarding the target process." + }, + { + "name": "kubernetesInfo", + "type": "string", + "description": "Kubernetes-related information." + } + ] + }, + "Custom-SentinelOneGroups_API": { + "columns": [ + { + "name": "creator", + "type": "string", + "description": "The name of the creator." + }, + { + "name": "registrationToken", + "type": "string", + "description": "The token used for registration." + }, + { + "name": "isDefault", + "type": "boolean", + "description": "Indicates whether this is the default setting." + }, + { + "name": "updatedAt", + "type": "string", + "description": "The timestamp (UTC) when the object was last updated." + }, + { + "name": "totalAgents", + "type": "real", + "description": "The total number of agents." + }, + { + "name": "inherits", + "type": "boolean", + "description": "Indicates whether the object inherits properties." + }, + { + "name": "name", + "type": "string", + "description": "The name of the object." + }, + { + "name": "rank", + "type": "real", + "description": "The rank of the object." + }, + { + "name": "filterName", + "type": "string", + "description": "The name of the filter applied." + }, + { + "name": "type", + "type": "string", + "description": "The type of the object." + }, + { + "name": "id", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "createdAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was created." + }, + { + "name": "creatorId", + "type": "string", + "description": "The unique identifier of the creator." + }, + { + "name": "siteId", + "type": "string", + "description": "The unique identifier of the site." + }, + { + "name": "filterId", + "type": "string", + "description": "The unique identifier of the filter." + } + ] + }, + "Custom-SentinelOneThreats_API": { + "columns": [ + { + "name": "threatInfo", + "type": "string", + "description": "The information regarding the threat." + }, + { + "name": "agentDetectionInfo", + "type": "string", + "description": "The information of the agent on detectino." + }, + { + "name": "agentRealtimeInfo", + "type": "string", + "description": "The information of the agent in real time." + }, + { + "name": "indicators", + "type": "string", + "description": "Details of the indicators." + }, + { + "name": "whiteningOptions", + "type": "string", + "description": "Details of the whitening options." + }, + { + "name": "id", + "type": "string", + "description": "Event Id." + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "not important. changed by the script", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-SentinelOneActivities_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = createdAt, AgentUpdatedVersion = agentUpdatedVersion, UserId = userId, ThreatId = threatId, PrimaryDescription = primaryDescription, SecondaryDescription = secondaryDescription, Id = id, GroupId = groupId, CreatedAt = createdAt, AccountName = accountName, Data = data, AgentId = agentId, Hash = hash, UpdatedAt = todatetime(updatedAt), Description = description, ActivityUuid = activityUuid, SiteId = siteId, ActivityType = activityType, SiteName = siteName, AccountId = accountId, OsFamily = osFamily, GroupName = groupName, Comments = comments", + "outputStream": "Custom-SentinelOneActivities_CL" + }, + { + "streams": [ + "Custom-SentinelOneAgents_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = createdAt, Uuid = uuid, MitigationMode = mitigationMode, NetworkStatus = networkStatus, InstallerType = installerType, MitigationModeSuspicious = mitigationModeSuspicious, IsPendingUninstall = isPendingUninstall, InRemoteShellSession = inRemoteShellSession, LastLoggedInUserName = lastLoggedInUserName, OsRevision = osRevision, OsArch = osArch, Id = id, ComputerName = computerName, TotalMemory = totalMemory, CreatedAt = createdAt, GroupId = groupId, LastActiveDate = todatetime(lastActiveDate), FullDiskScanLastUpdatedAt = fullDiskScanLastUpdatedAt, AllowRemoteShell = allowRemoteShell, RangerVersion = rangerVersion, AccountName = accountName, ScanStatus = scanStatus, Domain = domain, MissingPermissions = missingPermissions, IsActive = isActive, GroupIp = groupIp, ThreatRebootRequired = threatRebootRequired, GroupUpdatedAt = groupUpdatedAt, ExternalId = externalId, MachineType = machineType, RegisteredAt = todatetime(registeredAt), AppsVulnerabilityStatus = appsVulnerabilityStatus, CoreCount = coreCount, Locations = locations, ScanFinishedAt = todatetime(scanFinishedAt), UpdatedAt = todatetime(updatedAt), ExternalIp = externalIp, LocationType = locationType, PolicyUpdatedAt = policyUpdatedAt, IsDecommissioned = isDecommissioned, CpuId = cpuId, NetworkInterfaces = networkInterfaces, IsUninstalled = isUninstalled, ActiveDirectory = activeDirectory, ScanStartedAt = todatetime(scanStartedAt), RangerStatus = rangerStatus, SiteId = siteId, AgentVersion = agentVersion, OsUsername = osUsername, EncryptedApplications = encryptedApplications, LastIpToMgmt = lastIpToMgmt, CpuCount = cpuCount, ScanAbortedAt = scanAbortedAt, SiteName = siteName, ActiveThreats = activeThreats, Infected = infected, ConsoleMigrationStatus = consoleMigrationStatus, OsType = osType, AccountId = accountId, GroupName = groupName, OsName = osName, IsUpToDate = isUpToDate, LicenseKey = licenseKey, UserActionsNeeded = userActionsNeeded, ModelName = modelName, OsStartTime = todatetime(osStartTime), NetworkQuarantineEnabled=networkQuarantineEnabled,OperationalStateExpiration=operationalStateExpiration,RemoteProfilingState=remoteProfilingState", + "outputStream": "Custom-SentinelOneAgents_CL" + }, + { + "streams": [ + "Custom-SentinelOneAlerts_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = todatetime(parse_json(todynamic(alertInfo)).createdAt), SourceProcessInfo = sourceProcessInfo, AlertInfo = alertInfo, AgentDetectionInfo = agentDetectionInfo, RuleInfo = ruleInfo, ContainerInfo = containerInfo, SourceParentProcessInfo = sourceParentProcessInfo, TargetProcessInfo = targetProcessInfo, KubernetesInfo = kubernetesInfo", + "outputStream": "Custom-SentinelOneAlerts_CL" + }, + { + "streams": [ + "Custom-SentinelOneGroups_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = createdAt, Creator = creator, RegistrationToken = registrationToken, IsDefault = tostring(isDefault), UpdatedAt = todatetime(updatedAt), TotalAgents = tostring(totalAgents), Inherits = tostring(inherits), Name = name, Rank = rank, FilterName = filterName, GroupType = type, Id = id, CreatedAt = createdAt, CreatorId = creatorId, SiteId = siteId, FilterId = filterId", + "outputStream": "Custom-SentinelOneGroups_CL" + }, + { + "streams": [ + "Custom-SentinelOneThreats_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend ThreatInfo = parse_json(todynamic(threatInfo)), AgentDetectionInfo=parse_json(todynamic(agentDetectionInfo)), AgentRealtimeInfo=parse_json(todynamic(agentRealtimeInfo)) | project TimeGenerated = todatetime(ThreatInfo.createdAt), FilePath = tostring(ThreatInfo.filePath), CloudVerdict = tostring(ThreatInfo.cloudVerdict), MitigationMode = tostring(AgentDetectionInfo.mitigationMode), AgentOsType = tostring(AgentRealtimeInfo.agentOsType), AgentInfected = tobool(AgentRealtimeInfo.agentInfected), InitiatingUserId = tostring(ThreatInfo.initiatingUserId), Engines = tostring(ThreatInfo.engines), Id = id, FileExtensionType = tostring(ThreatInfo.fileExtensionType), MitigationStatus = tostring(ThreatInfo.mitigationStatus), AgentDomain = tostring(AgentDetectionInfo.agentDomain), CreatedAt = todatetime(ThreatInfo.createdAt), IsCertValid = tobool(ThreatInfo.isValidCertificate), FileDisplayName = tostring(ThreatInfo.filePath), AgentIp = tostring(AgentDetectionInfo.agentIpV4), AccountName = tostring(AgentRealtimeInfo.accountName), AgentMachineType = tostring(AgentRealtimeInfo.agentMachineType), FileVerificationType = tostring(ThreatInfo.fileVerificationType), Indicators = indicators, InitiatedByDescription = tostring(ThreatInfo.initiatedByDescription), AutomaticallyResolved = tobool(ThreatInfo.automaticallyResolved), AgentId = tostring(AgentRealtimeInfo.agentId), ProcessArguments = tostring(ThreatInfo.maliciousProcessArguments), MitigationReport = tostring(AgentDetectionInfo.mitigationReport), ThreatName = tostring(ThreatInfo.threatName), ClassificationSource = tostring(ThreatInfo.classificationSource), UpdatedAt = todatetime(ThreatInfo.updatedAt), InitiatedBy = tostring(ThreatInfo.initiatedBy), AgentNetworkStatus = tostring(AgentRealtimeInfo.agentNetworkStatus), AgentComputerName = tostring(AgentRealtimeInfo.agentComputerName), Classification = tostring(ThreatInfo.classification), CertId = tostring(ThreatInfo.certificateId), AgentIsActive = tobool(AgentRealtimeInfo.agentIsActive), SiteId = tostring(AgentDetectionInfo.siteId), AgentVersion = tostring(AgentDetectionInfo.agentVersion), FileContentHash = tostring(ThreatInfo.md5), WhiteningOptions = whiteningOptions,FileSha256 = tostring(ThreatInfo.sha256), Username = tostring(ThreatInfo.initiatingUsername), AgentIsDecommissioned = tobool(AgentDetectionInfo.agentIsDecommissioned), CollectionId = tostring(ThreatInfo.collectionId), SiteName = tostring(AgentDetectionInfo.siteName), AccountId = tostring(AgentDetectionInfo.accountId), ThreatInfo, AgentDetectionInfo, AgentRealtimeInfo", + "outputStream": "Custom-SentinelOneThreats_CL" + + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + + } +} \ No newline at end of file diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/PollerConfig.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/PollerConfig.json new file mode 100644 index 00000000000..2db5e1d412f --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/PollerConfig.json @@ -0,0 +1,338 @@ +[{ + "name": "SentinelOnePoller_activities_created_events", + "apiVersion": "2022-10-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneActivities_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName" : "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'activities')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "createdAt__gt" : "{_QueryWindowStartTime}", + "createdAt__lt" : "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "1000", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": ["$.data"] + } + } +}, +{ + "name": "SentinelOnePoller_agents_created_events", + "apiVersion": "2022-10-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneAgents_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName" : "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'agents')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "createdAt__gt" : "{_QueryWindowStartTime}", + "createdAt__lt" : "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "1000", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": ["$.data"] + } + } +} +, +{ + "name": "SentinelOnePoller_agents_updated_events", + "apiVersion": "2022-10-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneAgents_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName" : "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'agents')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "updatedAt__gt" : "{_QueryWindowStartTime}", + "updatedAt__lt" : "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "200", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": ["$.data"] + } + } +}, +{ + "name": "SentinelOnePoller_alerts_created_events", + "apiVersion": "2022-10-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneAlerts_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName" : "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'cloud-detection/alerts')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "createdAt__gt" : "{_QueryWindowStartTime}", + "createdAt__lt" : "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "1000", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": ["$.data"] + } + } +}, +{ + "name": "SentinelOnePoller_groups_updated_events", + "apiVersion": "2022-10-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneGroups_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName" : "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'groups')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "updatedAt__gt" : "{_QueryWindowStartTime}", + "updatedAt__lt" : "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "200", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": ["$.data"] + } + } +}, +{ + "name": "SentinelOnePoller_threats_created_events", + "apiVersion": "2022-10-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneThreats_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName" : "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'threats')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "createdAt__gt" : "{_QueryWindowStartTime}", + "createdAt__lt" : "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "1000", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": ["$.data"] + } + } +}, +{ + "name": "SentinelOnePoller_threats_updated_events", + "apiVersion": "2022-10-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneThreats_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName" : "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'threats')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "updatedAt__gt" : "{_QueryWindowStartTime}", + "updatedAt__lt" : "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "200", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": ["$.data"] + } + } +} +] \ No newline at end of file diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json new file mode 100644 index 00000000000..8ca9122791c --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/connectorDefinition.json @@ -0,0 +1,164 @@ +{ + "name": "SentinelOne", + "apiVersion": "2024-01-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "SentinelOne", + "title": "SentinelOne", + "publisher": "Microsoft", + "descriptionMarkdown": "The [SentinelOne](https://usea1-nessat.sentinelone.net/api-doc/overview) data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the SentinelOne API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueries": [ + { + "metricName": "Total activities logs received", + "legend": "SentinelOne Activities Logs", + "baseQuery": "SentinelOneActivities_CL" + }, + { + "metricName": "Total agents logs received", + "legend": "SentinelOne Agents Logs", + "baseQuery": "SentinelOneAgents_CL" + }, + { + "metricName": "Total groups logs received", + "legend": "SentinelOne Groups Logs", + "baseQuery": "SentinelOneGroups_CL" + }, + { + "metricName": "Total threats logs received", + "legend": "SentinelOne Threats Logs", + "baseQuery": "SentinelOneThreats_CL" + }, + { + "metricName": "Total alerts logs received", + "legend": "SentinelOne Alerts Logs", + "baseQuery": "SentinelOneAlerts_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of SentinelOne activities logs", + "query": "SentinelOneActivities_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne groups logs", + "query": "SentinelOneGroups_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne threats logs", + "query": "SentinelOneThreats_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne agents logs", + "query": "SentinelOneAgents_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne alerts logs", + "query": "SentinelOneAlerts_CL| take 10" + } + ], + "dataTypes": [ + { + "name": "SentinelOneActivities_CL", + "lastDataReceivedQuery": "SentinelOneActivities_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneAgents_CL", + "lastDataReceivedQuery": "SentinelOneAgents_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneGroups_CL", + "lastDataReceivedQuery": "SentinelOneGroups_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneThreats_CL", + "lastDataReceivedQuery": "SentinelOneThreats_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneAlerts_CL", + "lastDataReceivedQuery": "SentinelOneAlerts_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "tenant": null, + "licenses": null, + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### Configuration steps for the SentinelOne API \n Follow the instructions to obtain the credentials. You can also follow the [guide](https://usea1-nessat.sentinelone.net/docs/en/how-to-automate-api-token-generation.html#how-to-automate-api-token-generation) to generate API key." + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 1. Retrieve SentinelOne Management URL\n 1.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**] copy the URL link above without the URL path." + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Retrieve API Token\n 2.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**]\n 2.3. In [**Settings**] view click on [**USERS**].\n 2.4. In the [**USERS**] Page click on [**Service Users**] -> [**Actions**] -> [**Create new service user**].\n 2.5. Choose [**Expiration date**] and [**scope**] (by site) and click on [**Create User**].\n 2.6. Once the [**Service User**] is created copy the [**API Token**] from page and press [**Save**]" + } + }, + { + "parameters": { + "label": "SentinelOne Management URL", + "placeholder": "https://example.sentinelone.net/", + "type": "text", + "name": "managementUrl" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "API Token", + "placeholder": "API Token", + "type": "password", + "name": "apitoken" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "innerSteps": null + } + ], + "isConnectivityCriteriasMatchSome": false + } + } +} \ No newline at end of file diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/solutionMetadata.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/solutionMetadata.json new file mode 100644 index 00000000000..18b9f7abd07 --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/solutionMetadata.json @@ -0,0 +1,28 @@ +{ + "SolutionName":"SentinelOne", + "SolutionAuthor": "Microsoft", + "SolutionVersion":"1.0.1", + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-sentinelone", + "PackageId": "azuresentinel.azure-sentinel-SentinelOne", + "TemplateName": "SentinelOneTemplatev2", + "ConnectorDefinitionTemplateVersion": "1.0.1", + "DataConnectorsTemplateVersion": "1.0.1", + "firstPublishDate": "2024-09-08", + "packageIcon": "sentinel_one_edr_logo", + "SolutionTier": "Microsoft", + "providers": [ + "SentinelOne" + ], + "categories": { + "domains": ["Security - Threat Protection"], + "verticals": [] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + +} \ No newline at end of file diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Activities.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Activities.json new file mode 100644 index 00000000000..4fe20ed9487 --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Activities.json @@ -0,0 +1,130 @@ + +{ + "name": "SentinelOneActivities_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-03-01-privatepreview", + "tags": {}, + "properties": { + "schema": { + "name": "SentinelOneActivities_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "AgentUpdatedVersion", + "type": "string", + "description": "The version of the agent that was updated." + }, + { + "name": "UserId", + "type": "string", + "description": "The unique identifier for the user." + }, + { + "name": "ThreatId", + "type": "string", + "description": "The unique identifier for the threat." + }, + { + "name": "PrimaryDescription", + "type": "string", + "description": "The primary description of the event." + }, + { + "name": "SecondaryDescription", + "type": "string", + "description": "The secondary description of the event." + }, + { + "name": "Id", + "type": "string", + "description": "The unique identifier for the record." + }, + { + "name": "GroupId", + "type": "string", + "description": "The unique identifier for the group." + }, + { + "name": "CreatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was created." + }, + { + "name": "AccountName", + "type": "string", + "description": "The name of the account associated with the event." + }, + { + "name": "Data", + "type": "string", + "description": "Activity metadata." + }, + { + "name": "AgentId", + "type": "string", + "description": "The unique identifier for the agent." + }, + { + "name": "Hash", + "type": "string", + "description": "The hash associated with the event." + }, + { + "name": "UpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was last updated." + }, + { + "name": "Description", + "type": "string", + "description": "The description of the event." + }, + { + "name": "ActivityUuid", + "type": "string", + "description": "The UUID of the activity associated with the event." + }, + { + "name": "SiteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "ActivityType", + "type": "real", + "description": "The type of activity represented by an integer." + }, + { + "name": "SiteName", + "type": "string", + "description": "The name of the site associated with the event." + }, + { + "name": "AccountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "OsFamily", + "type": "string", + "description": "The operating system family, such as macOS." + }, + { + "name": "GroupName", + "type": "string", + "description": "The name of the group associated with the event." + }, + { + "name": "Comments", + "type": "string", + "description": "Any comments associated with the event." + } + ] + } + } + } \ No newline at end of file diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Agents.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Agents.json new file mode 100644 index 00000000000..7a87a830e73 --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Agents.json @@ -0,0 +1,360 @@ + +{ + "name": "SentinelOneAgents_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-03-01-privatepreview", + "tags": {}, + "properties": { + "schema": { + "name": "SentinelOneAgents_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "Uuid", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "MitigationMode", + "type": "string", + "description": "The mitigation mode applied." + }, + { + "name": "NetworkStatus", + "type": "string", + "description": "The network status of the object." + }, + { + "name": "InstallerType", + "type": "string", + "description": "The type of installer used." + }, + { + "name": "MitigationModeSuspicious", + "type": "string", + "description": "The suspicious mitigation mode applied." + }, + { + "name": "IsPendingUninstall", + "type": "boolean", + "description": "Indicates whether the object is pending uninstallation." + }, + { + "name": "InRemoteShellSession", + "type": "boolean", + "description": "Indicates whether the object is in a remote shell session." + }, + { + "name": "LastLoggedInUserName", + "type": "string", + "description": "The username of the last logged-in user." + }, + { + "name": "OsRevision", + "type": "string", + "description": "The OS revision." + }, + { + "name": "OsArch", + "type": "string", + "description": "The OS architecture." + }, + { + "name": "Id", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "ComputerName", + "type": "string", + "description": "The name of the computer." + }, + { + "name": "TotalMemory", + "type": "real", + "description": "The total memory available in MB." + }, + { + "name": "CreatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was created." + }, + { + "name": "GroupId", + "type": "string", + "description": "The unique identifier for the group." + }, + { + "name": "LastActiveDate", + "type": "datetime", + "description": "The timestamp (UTC) when the object was last active." + }, + { + "name": "FullDiskScanLastUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the full disk scan was last updated." + }, + { + "name": "AllowRemoteShell", + "type": "boolean", + "description": "Indicates whether remote shell is allowed." + }, + { + "name": "RangerVersion", + "type": "string", + "description": "The version of the ranger." + }, + { + "name": "AccountName", + "type": "string", + "description": "The account name." + }, + { + "name": "ScanStatus", + "type": "string", + "description": "The scan status of the object." + }, + { + "name": "Domain", + "type": "string", + "description": "The domain of the object." + }, + { + "name": "MissingPermissions", + "type": "string", + "description": "Details of the missing permissions." + }, + { + "name": "IsActive", + "type": "boolean", + "description": "Indicates whether the object is active." + }, + { + "name": "GroupIp", + "type": "string", + "description": "The IP address of the group." + }, + { + "name": "ThreatRebootRequired", + "type": "boolean", + "description": "Indicates whether a reboot is required due to a threat." + }, + { + "name": "GroupUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the group was last updated." + }, + { + "name": "ExternalId", + "type": "string", + "description": "The external identifier associated with the object." + }, + { + "name": "MachineType", + "type": "string", + "description": "The type of machine." + }, + { + "name": "RegisteredAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was registered." + }, + { + "name": "AppsVulnerabilityStatus", + "type": "string", + "description": "The vulnerability status of the applications." + }, + { + "name": "CoreCount", + "type": "real", + "description": "The number of CPU cores." + }, + { + "name": "Locations", + "type": "string", + "description": "The locations associated with the object." + }, + { + "name": "ScanFinishedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the scan was finished." + }, + { + "name": "UpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was last updated." + }, + { + "name": "ExternalIp", + "type": "string", + "description": "The external IP address of the object." + }, + { + "name": "LocationType", + "type": "string", + "description": "The type of location." + }, + { + "name": "PolicyUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the policy was last updated." + }, + { + "name": "IsDecommissioned", + "type": "boolean", + "description": "Indicates whether the object is decommissioned." + }, + { + "name": "CpuId", + "type": "string", + "description": "The identifier of the CPU." + }, + { + "name": "NetworkInterfaces", + "type": "string", + "description": "Details of the network interfaces." + }, + { + "name": "IsUninstalled", + "type": "boolean", + "description": "Indicates whether the object is uninstalled." + }, + { + "name": "ActiveDirectory", + "type": "string", + "description": "Details about the active directory." + }, + { + "name": "ScanStartedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the scan was started." + }, + { + "name": "RangerStatus", + "type": "string", + "description": "The status of the ranger." + }, + { + "name": "SiteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "AgentVersion", + "type": "string", + "description": "The version of the agent." + }, + { + "name": "OsUsername", + "type": "string", + "description": "The username associated with the operating system." + }, + { + "name": "EncryptedApplications", + "type": "boolean", + "description": "Indicates whether the applications are encrypted." + }, + { + "name": "LastIpToMgmt", + "type": "string", + "description": "The last IP address used for management." + }, + { + "name": "CpuCount", + "type": "real", + "description": "The number of CPUs." + }, + { + "name": "ScanAbortedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the scan was aborted." + }, + { + "name": "SiteName", + "type": "string", + "description": "The name of the site." + }, + { + "name": "ActiveThreats", + "type": "real", + "description": "The number of active threats." + }, + { + "name": "Infected", + "type": "boolean", + "description": "Indicates whether the object is infected." + }, + { + "name": "ConsoleMigrationStatus", + "type": "string", + "description": "The status of the console migration." + }, + { + "name": "OsType", + "type": "string", + "description": "The type of operating system." + }, + { + "name": "AccountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "GroupName", + "type": "string", + "description": "The name of the group." + }, + { + "name": "OsName", + "type": "string", + "description": "The name of the operating system." + }, + { + "name": "IsUpToDate", + "type": "boolean", + "description": "Indicates whether the object is up to date." + }, + { + "name": "LicenseKey", + "type": "string", + "description": "The license key associated with the object." + }, + { + "name": "UserActionsNeeded", + "type": "string", + "description": "Details of the user actions needed." + }, + { + "name": "ModelName", + "type": "string", + "description": "The model name of the object." + }, + { + "name": "OsStartTime", + "type": "datetime", + "description": "The timestamp (UTC) when the operating system started." + }, + { + "name": "NetworkQuarantineEnabled", + "type": "boolean", + "description": "Is Network Quarantine Enabled on the device." + }, + { + "name": "OperationalStateExpiration", + "type": "string", + "description": "Agent operational state." + }, + { + "name": "RemoteProfilingState", + "type": "string", + "description": "Agent remote profiling state." + } + ] + } + } + } \ No newline at end of file diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Alerts.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Alerts.json new file mode 100644 index 00000000000..446a8e45813 --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Alerts.json @@ -0,0 +1,60 @@ + +{ + "name": "SentinelOneAlerts_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-03-01-privatepreview", + "tags": {}, + "properties": { + "schema": { + "name": "SentinelOneAlerts_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "SourceProcessInfo", + "type": "string", + "description": "Information about the source process." + }, + { + "name": "AlertInfo", + "type": "string", + "description": "Details about the alert." + }, + { + "name": "AgentDetectionInfo", + "type": "string", + "description": "Detection information related to the agent." + }, + { + "name": "RuleInfo", + "type": "string", + "description": "Information regarding the applied rule." + }, + { + "name": "ContainerInfo", + "type": "string", + "description": "Information about the container." + }, + { + "name": "SourceParentProcessInfo", + "type": "string", + "description": "Information about the parent process of the source." + }, + { + "name": "TargetProcessInfo", + "type": "string", + "description": "Details regarding the target process." + }, + { + "name": "KubernetesInfo", + "type": "string", + "description": "Kubernetes-related information." + } + ] + } + } + } \ No newline at end of file diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Groups.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Groups.json new file mode 100644 index 00000000000..cb3ce6dbc39 --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Groups.json @@ -0,0 +1,95 @@ + +{ + "name": "SentinelOneGroups_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-03-01-privatepreview", + "tags": {}, + "properties": { + "schema": { + "name": "SentinelOneGroups_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "Creator", + "type": "string", + "description": "The name of the creator." + }, + { + "name": "RegistrationToken", + "type": "string", + "description": "The token used for registration." + }, + { + "name": "IsDefault", + "type": "string", + "description": "Indicates whether this is the default setting." + }, + { + "name": "UpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was last updated." + }, + { + "name": "TotalAgents", + "type": "string", + "description": "The total number of agents." + }, + { + "name": "Inherits", + "type": "string", + "description": "Indicates whether the object inherits properties." + }, + { + "name": "Name", + "type": "string", + "description": "The name of the object." + }, + { + "name": "Rank", + "type": "real", + "description": "The rank of the object." + }, + { + "name": "FilterName", + "type": "string", + "description": "The name of the filter applied." + }, + { + "name": "GroupType", + "type": "string", + "description": "The type of the object." + }, + { + "name": "Id", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "CreatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was created." + }, + { + "name": "CreatorId", + "type": "string", + "description": "The unique identifier of the creator." + }, + { + "name": "SiteId", + "type": "string", + "description": "The unique identifier of the site." + }, + { + "name": "FilterId", + "type": "string", + "description": "The unique identifier of the filter." + } + ] + } + } + } \ No newline at end of file diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Threats.json b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Threats.json new file mode 100644 index 00000000000..35dfb58bbe3 --- /dev/null +++ b/Solutions/SentinelOne/Data Connectors/SentinelOne_ccp/table - Threats.json @@ -0,0 +1,250 @@ + +{ + "name": "SentinelOneThreats_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-03-01-privatepreview", + "tags": {}, + "properties": { + "schema": { + "name": "SentinelOneThreats_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "FilePath", + "type": "string", + "description": "The path of the file." + }, + { + "name": "CloudVerdict", + "type": "string", + "description": "The cloud verdict for the file." + }, + { + "name": "MitigationMode", + "type": "string", + "description": "The mode of mitigation applied." + }, + { + "name": "AgentOsType", + "type": "string", + "description": "The operating system type of the agent." + }, + { + "name": "AgentInfected", + "type": "boolean", + "description": "Indicates whether the agent is infected." + }, + { + "name": "InitiatingUserId", + "type": "string", + "description": "The unique identifier for the initiating user." + }, + { + "name": "Engines", + "type": "string", + "description": "Details of the engines used." + }, + { + "name": "Id", + "type": "string", + "description": "The unique identifier for the record." + }, + { + "name": "FileExtensionType", + "type": "string", + "description": "The type of file extension." + }, + { + "name": "MitigationStatus", + "type": "string", + "description": "The status of mitigation." + }, + { + "name": "AgentDomain", + "type": "string", + "description": "The domain of the agent." + }, + { + "name": "CreatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was created." + }, + { + "name": "IsCertValid", + "type": "boolean", + "description": "Indicates whether the certificate is valid." + }, + { + "name": "FileDisplayName", + "type": "string", + "description": "The display name of the file." + }, + { + "name": "AgentIp", + "type": "string", + "description": "The IP address of the agent." + }, + { + "name": "AccountName", + "type": "string", + "description": "The name of the account associated with the event." + }, + { + "name": "AgentMachineType", + "type": "string", + "description": "The machine type of the agent." + }, + { + "name": "FileVerificationType", + "type": "string", + "description": "The type of file verification." + }, + { + "name": "Indicators", + "type": "string", + "description": "Details of the indicators." + }, + { + "name": "InitiatedByDescription", + "type": "string", + "description": "Description of the initiated by field." + }, + { + "name": "AutomaticallyResolved", + "type": "boolean", + "description": "Indicates whether the issue was automatically resolved." + }, + { + "name": "AgentId", + "type": "string", + "description": "The unique identifier for the agent." + }, + { + "name": "ProcessArguments", + "type": "string", + "description": "The unique identifier for the malicious group." + }, + { + "name": "MitigationReport", + "type": "string", + "description": "Report of the actions taken by the Agent." + }, + { + "name": "ThreatName", + "type": "string", + "description": "Details about the threat name." + }, + { + "name": "ClassificationSource", + "type": "string", + "description": "The source of the classification." + }, + { + "name": "UpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was last updated." + }, + { + "name": "InitiatedBy", + "type": "string", + "description": "Indicates by whom or what the action was initiated." + }, + { + "name": "AgentNetworkStatus", + "type": "string", + "description": "The network status of the agent." + }, + { + "name": "AgentComputerName", + "type": "string", + "description": "The computer name of the agent." + }, + { + "name": "Classification", + "type": "string", + "description": "The classification of the event." + }, + { + "name": "CertId", + "type": "string", + "description": "The certificate ID." + }, + { + "name": "AgentIsActive", + "type": "boolean", + "description": "Indicates whether the agent is active." + }, + { + "name": "SiteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "AgentVersion", + "type": "string", + "description": "The version of the agent." + }, + { + "name": "FileContentHash", + "type": "string", + "description": "The hash of the file content." + }, + { + "name": "WhiteningOptions", + "type": "string", + "description": "Details of the whitening options." + }, + { + "name": "Username", + "type": "string", + "description": "The username associated with the event." + }, + { + "name": "FileSha256", + "type": "string", + "description": "The SHA-256 hash of the file." + }, + { + "name": "AgentIsDecommissioned", + "type": "boolean", + "description": "Indicates whether the agent is decommissioned." + }, + { + "name": "CollectionId", + "type": "string", + "description": "The unique identifier for the collection." + }, + { + "name": "SiteName", + "type": "string", + "description": "The name of the site." + }, + { + "name": "AccountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "ThreatInfo", + "type": "dynamic", + "description": "The information about the threat." + }, + { + "name": "AgentDetectionInfo", + "type": "dynamic", + "description": "The information of the agent in detection." + }, + { + "name": "AgentRealtimeInfo", + "type": "dynamic", + "description": "The information of the agent in realtime." + } + ] + } + } + } \ No newline at end of file diff --git a/Solutions/SentinelOne/Data/Solution_SentinelOne.json b/Solutions/SentinelOne/Data/Solution_SentinelOne.json index b5c5e25df7d..83fb11143cc 100644 --- a/Solutions/SentinelOne/Data/Solution_SentinelOne.json +++ b/Solutions/SentinelOne/Data/Solution_SentinelOne.json @@ -1,45 +1,45 @@ { - "Name": "SentinelOne", - "Author": "Microsoft - support@microsoft.com", - "Logo": "", - "Description": "The [SentinelOne](https://www.sentinelone.com/) solution provides ability to bring SentinelOne events to your Microsoft Sentinel Workspace to inform and to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r \n \r \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r \n \r \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", - "Data Connectors": [ - "Data Connectors/SentinelOne_API_FunctionApp.json" - ], - "Workbooks": [ - "Workbooks/SentinelOne.json" - ], - "Parsers": [ - "Parsers/SentinelOne.yaml" + "Name": "SentinelOne", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [SentinelOne](https://www.sentinelone.com/) solution provides ability to bring SentinelOne events to your Microsoft Sentinel Workspace to inform and to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r \n \r \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r \n \r \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", + "Data Connectors": [ + "Data Connectors/SentinelOne_ccp/connectorDefinition.json" ], - "Analytic Rules": [ - "Analytic Rules/SentinelOneAdminLoginNewIP.yaml", - "Analytic Rules/SentinelOneAgentUninstalled.yaml", - "Analytic Rules/SentinelOneAlertFromCustomRule.yaml", - "Analytic Rules/SentinelOneBlacklistHashDeleted.yaml", - "Analytic Rules/SentinelOneExclusionAdded.yaml", - "Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml", - "Analytic Rules/SentinelOneNewAdmin.yaml", - "Analytic Rules/SentinelOneRuleDeleted.yaml", - "Analytic Rules/SentinelOneRuleDisabled.yaml", - "Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml", - "Analytic Rules/SentinelOneViewAgentPassphrase.yaml" - ], - "Hunting Queries": [ - "Hunting Queries/SentinelOneAgentNotUpdated.yaml", - "Hunting Queries/SentinelOneAgentStatus.yaml", - "Hunting Queries/SentinelOneAlertTriggers.yaml", - "Hunting Queries/SentinelOneHostNotScanned.yaml", - "Hunting Queries/SentinelOneNewRules.yaml", - "Hunting Queries/SentinelOneRulesDeleted.yaml", - "Hunting Queries/SentinelOneScannedHosts.yaml", - "Hunting Queries/SentinelOneSourcesByAlertCount.yaml", - "Hunting Queries/SentinelOneUninstalledAgents.yaml", - "Hunting Queries/SentinelOneUsersByAlertCount.yaml" - ], - "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\SentinelOne", - "Version": "3.0.1", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1PConnector": false + "Workbooks": [ + "Workbooks/SentinelOne.json" + ], + "Parsers": [ + "Parsers/SentinelOne.yaml" +], + "Analytic Rules": [ + "Analytic Rules/SentinelOneAdminLoginNewIP.yaml", + "Analytic Rules/SentinelOneAgentUninstalled.yaml", + "Analytic Rules/SentinelOneAlertFromCustomRule.yaml", + "Analytic Rules/SentinelOneBlacklistHashDeleted.yaml", + "Analytic Rules/SentinelOneExclusionAdded.yaml", + "Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml", + "Analytic Rules/SentinelOneNewAdmin.yaml", + "Analytic Rules/SentinelOneRuleDeleted.yaml", + "Analytic Rules/SentinelOneRuleDisabled.yaml", + "Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml", + "Analytic Rules/SentinelOneViewAgentPassphrase.yaml" + ], + "Hunting Queries": [ + "Hunting Queries/SentinelOneAgentNotUpdated.yaml", + "Hunting Queries/SentinelOneAgentStatus.yaml", + "Hunting Queries/SentinelOneAlertTriggers.yaml", + "Hunting Queries/SentinelOneHostNotScanned.yaml", + "Hunting Queries/SentinelOneNewRules.yaml", + "Hunting Queries/SentinelOneRulesDeleted.yaml", + "Hunting Queries/SentinelOneScannedHosts.yaml", + "Hunting Queries/SentinelOneSourcesByAlertCount.yaml", + "Hunting Queries/SentinelOneUninstalledAgents.yaml", + "Hunting Queries/SentinelOneUsersByAlertCount.yaml" + ], + "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\SentinelOne", + "Version": "3.0.1", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/SentinelOne/Package/3.0.3.zip b/Solutions/SentinelOne/Package/3.0.3.zip new file mode 100644 index 0000000000000000000000000000000000000000..0e90aaa68ad527b156b13a1e9f5ef62d9a0afa88 GIT binary patch literal 30963 zcmZs?V~{36*Dcz%ZQHhO+j!bNZM%Egwx(^{wr$%zZTrmoo%f!5Z^X%ptf>02vvTdI zs#v+#N+nrPFf<^je@C9Smp0IU+nzKK5GD{2kg1cIv5T3ym6(~im7SG~mAxHH!M`4ECSk|2b{z{n&4EVElXqd=Nt21gr(pQ?7To^}C9$ zJg$ITrP^$vhmlcPMzpj^709SKZW{!A=w2&!_8#q!l4mrSm1@&(jwyj*yovQN=Dvg! zwaxl}!4g;ZQVRl@f8i%-l(|;Ke)w)44725%Vl;|*KdMq>oJMiosD6Ro%<*0nCvH1% zoC_vJTR%S^Q{&zR+c2QqxMEm+d;k5)7rU3Qv^jyXLJ^ZY(5r1{3_&5i%1*D(Ms_;D zr9g)Z9!eR%zfP9HVTBhHy2JjHH;*|U9%lhRH?++A9WeofBgv*xrTYw5e$e9-kY5Nq6zPAz=KQmKkH> zxtsBw&y}^uHUS#Z1qzkVFWE16H2%)9Z1R+lF=-Ou|D&0|e)lcF9fhSHEyZDyXesP6 zHYO#OkbVo03$-O9Bjr=hlt6AV>P1lw1;IzfyY&BgWArp-(>^D|v`@#!EmhIH5;35? zbOLS$RK?%(5z0M9UGJi-%tCS;dO6MsGe9*kLt#7ME>bfoFw~$jOG9bWIG2{L28b?-A?$?1gtZBmv4K5<`&TbNTU06=ZuZSx{#U2ubU1 z$tGC!S{c-)b8(Uk6BVkT1=8H_?%9XIfE1jQ9>-4gr> z0mX2kvY*ubD=@LmtbkRALNQw~U>>7RAIwq!kW!s30x5!&Kx4uHa6$yLBet^~+2n$n z)OOrjy2KY>+hZL&i*TF-e*l{h;#3te2Qsj8o()JM8W?9*1Vmtjn-QGRA8JyfIcOlV zXKSbVIv0#h4PXk?6ZKkH8-bcCki1VANJASgz@jIVYe&+ zOSvadtkP4=!$->rUUX-;$@8BC@*c+$Ubf*Q_?L`}IGFcu&I1VC^&-tMo0hWMBBvQBoFff)LXll)pNW#Gk z&Nnb39*|B_OhdD^tr2X!?J!IXhXFo_vI6`2n?yX7;Z~73k^g55-2}_4d1@;#GWRXc zWKUaKMP#sA9)-$7$u9nGSvrH725V_CS$(n+Wo0KKT2Tc-p`tjv!X6qKo=aw)rQU0Z zl&)&bfoBn`s5;(yOoRwER6y&jJ4!@&_O{Hxp$(oVN3^@1vuC(Tm)qIU4nlcf}? zCA2u&TIR>r8l=iiV)>~OQeQN1Dgc#0oJ^!Mip+^^pz<_<<8*^^MKXOUc7m;ReaXznC) z*gOl3Rf|`0e&O!861XYd!$Jjbp2-2+$I%Gv@LD+?~@XTGk_Q z5#rOhBnTn&#aa|}8KNm>-FPBG)4%T!3vw%7MyCNjL4>nTLT;#3B-2{*GS(|5;ggv@ zb%^nC!haiSR_u2!LBNd-%#v2U(P5S_BS$`k0;5zHmBqb7WH4)e<~RbH`C3BKqCQjw zF*-4Aqu%UzDWIWxkfvP)S!GDb{);)QsAh2ZM&wr-YlJm3O`}1t(sa7Ak@T@$C|z|| zR8UYcVjh4xRcEFBA^1+JLLVpqh$ zHpjb<_UG;;&)4HjJ_~d5o?DS}BuaGjnHHh0saeJSh8x7VTG?0^Kbf&t&69JEz zrssQYgaqO?RtQfu%o1nYeC#Z8_JJ~c)i(uUs0#= zb%x-hixQK5oCNF@MY_;qtwj2f%NBY(iYc;QrMR!=03C(CQ5A-9`pom60WT z!0t8f51oG3cQ*gxF8FRtC(iy9wWjP`OY5dWvGdRuGrjc=izI zm%JY;K#>h0_h!i{7eSq>F1}p{-)lb;S{p@Xau7d&2*Z?JwVk?q6H0%`?HI*m16nt* z%oN#c{2^dB)6)y$@$1+U)AaIXVYJhDy$Ee7d91Et8hodYK9|ix_VX;SzUvLZIVJV$ zt+CtZO?2`35XN0(#lDZwZ8o6247X)(U)Y&~Zxn8Sq zf}d{<9=FnyKCfBR%48AB(qZ$Q-W+qQ2uyhTz(+A5nIt z{zm)AtVkmyHK)PbI+adg%}R=byccxvn(0(T&oG!$O6xk0ai>v(c5Y`?(7H+f6Pl)>1e z5ZSY-x2H&Aeenr|J1mi7{$>{=%_I)yL$rk)YRw#JgsSOoCI*gX22tlgP$ z#fG0_HT2ZLYO)X^vEd1(vrd8Cy1hftPg-N5JMaoc>)f(*nxY%1STaubiAwrG^PIiK zLF_Bn?q@NX97*TacO2t!)$VzTi+=SjW}trV80MNfr`nrjcMJ02T=7KU7}n|B(Ex{}0JenF9kt{zvkE8C%(@nf-FG{YUlx zUwWVLkJ|sI|6l0+RriP6VM_z$=T8;;O~9Q%qwT3y1KDIN!2N{lO5uRf_s*`%&bo!Y-t}7ULz9F5+-0tt*Pudeul-@j z<*sOt4WD6~MsVj3jPH%Tu6I*V{f#);RW274{_bzD_ichtLdD#}v4(0Wom)sBqTDJo zwg=F$_YrJJzcWRWCEw10?{C&e#+z8S`>jF_`?PO4esw>QHo?_*he=FA zd17s@NhHK!Xkd}hrn?uMvF-~*&-wS9q`1_We=jui7FnM1ZoSRJ{H<4v{IbBz&t-P% zVj4(=S5syiJQKY6+;eWL8)+lWe9JwvJBhX!gHDJ6Jxx{PhW_N9{(grW25%AT{4w$W zBp;!YZP5Fvz}If?^dlCLqS;#aiz`)Q@EIz?2oX^mS_>`{6@&k+7O(~6Ur>M47&Usk z`fNbL&bvwC>+Sxc%6vne>deI|t4p2gkMTqt$Cj)Ru=*jTUN^vnQ;yTUoC(RhRz1g61}_&8-O~&* ziqo#8u?vWB(p&lEX)_|9b(5ApF~jlImK{C65~GBow_^6(m{AmR9YE&{>4=c9KM=~+ zQ52emq-(@`U?B;J>3!|U#3F7#myX=})_UqXRSm&}JILkTl!olq-3zE-o$S69vEYds z_|nP<-t?Bz@MX5rE^9SPHhj;KOfDwu^6@OM`uYk^aZxa*)?2$vbLMm8gTz_neDaPA zViGdSlM@@#F)}i>?=+3$-Sn27eRGXims?BdXcI}2&K*-p){Q?xR3|7dTKGHSVr`bR zl4x#!q_cAxKZ$O&jCErh7v5C&Q+5EAlqoAN$N|mDePF$uqnx6k7i1wH;Z{Y~SvV|7ypnPq$PYZo~`KoH6FERuQ13M*={z~l@&ut315 z*)kn%pwtER{09m0M&gG=WJj?&hLf&*z#|DmhNLrF=aIYF$8p)}pe@otuqhneFQhua zcHHTaCBt{byiS8JoR1MiJ?GfmjlpVCg@(eewu0+D15aYO|J;t6BVoAu;6)bm62een zw(?72hD(9{U=P5=%|(FkA~C31$;yW>H)aSaiErbvB}kAPjW`OaRX~P1k(MZTn%mA5 zo|lECi4=Rq@>CikYB%sZJUj(G!AY+uM1qsb#)^?vOWS*RlhG2kP$ia9W1j<^Ys4rY z3Ncd5L&+f6Y9-$+7w<5Cx!!wlaK^!h?IMc+AA#pk6&Ep<@^IdPiz)Kf$QPMG)!!4D zfG-{@?XVyS3X#AdSoW?d2#OFb;x-UzUpOCXu__Euvi{n%n;{2LICJYDf)n{G-SySQ z$p?U+brOEt|4yP;@_kR@b1Oum7aIlh@8Xt3FOpI^7?NDvLyK%+aO!)MYJjaW1`$Ca zF77?MfA6t~6%QZJU4i0D`LrlZ^4Vbl7hfSZnuJf!FnDsw&>%Prk!;|&t&C`3Fbs2F zg-@Dfip!^mjhOJB6)5p9J=lny;p2E#&V_rOd9c<-OT$LPG;Zdo2EuTe z$YlOA5F+73Jk_u`II@6`2QtI(;=kFckqt;5!$W7fN=;?=GYeecJxLzUAR&fkqjoAr zKY#BXwF&ZMXAxxKh`(BblIRuu2il|3KSck5_6Q}`2B%1ig);hYGI|EEi&d|$eFRwq zYeQ;+B=GzrhcjnjFFd7TzeQOV5h%a<*Qf?YFQXhX-Y27O??59QxEW}|Z|?@99H?_N z<_0ML4WjZ7k;WD!>&5L+x)vX4Co5l2Xig#pVVt6(_wW7j+ch4J$lGxUu{N=>LfG{Y4UF0eZ#(wo7Pj;&=Yd>#VFCIG#aJllHh+3drpKc?T0h z#J@ZJ3EHr^HH-sh7mSPprTRyErGtBdp1PRfC<(_C zUgXu_;i`kZA!jY6m{cf{&Zaux@qdk?K)!SgnsaZTk%DfMTgVY|5GsyPLLU0{F19Lq z0Y;u2PnQT{c?QRC0c@Fggu0|}b=nk2%DfRL+!?36#7Y*a_3kk7?MlI|Ik$fg;}NJs zP`IrV#fTJLXjv?r83#&&cpiB@0|bwbN^1Nk3LyO7C`s{cZ?zt8s}MdZ{7b5FKHw$iUor^f7XQKG;jW7vU2EZ$Ok&oy zjf;K9ue4atcKk^{YaIOjZS~Uzc;N^FSp6sQX07Pm1>f=kIViZW5RZ8H&t4uvI-zl6 z7-w@lf3*hp>zutzo~rLGnYgc0(D%%RFyt}Q_Jucx?>LmVvuf(t;kQ#-OAfqjR=@?4 zFwa%q_MBJU_hJl-BX5LI{QQjhEEvO5o)rzjzN<}>I-Wh&+ zuIWI0F86q;X?ts0YKF%2RnG5`+7|vyP^4ugZ~88XuT~p2(O;9TN*)Js7#PhW?0SxC z&E53w?MfMn$dCW3$yUEcJlZUuYU{<}FS&6*yt2ZK|s`7tSrsZ)kt*y1y z4Tr!4oRR(7;Yj_jKN0jx#?3Q>8^Y_K{T!qgDQDDjGli=NVPhbKQor^g`Dz-1+cAHI`EB*4+5eD8&kk z4<*K4Tr@ik-#IAm2@AAR=g5_jQ3cc8=fQoENS0axn~Z`A@1oh4?`@C74!C2GvU`1Y zv9*a?<{7i7J&5}=OwqtoF+n_O?2Q+G7yTZvyHI!%P`CNpo87JmwuShd-|@waK7{bO zEzQH8sf}Ea)~uBT$~W>T9uYt5v%=Z*B891pLj__ikv}VgT1icGA7#sezJ`nS7aUFm z^|i4?O#LRIY7&XSU8}>T4i7QLL97IgP z^xG@5UYwRXW32Y_mSj*Ff>BR*hhr`8S$_yAw?ZX@`j)h`QFzvY*W*vGqUcYu zrdjA`Z%V4432UXGc|?>GiMZzFS)gI-$I?wu_qDK~tnL>);y<=RSy5l;#z z$g#}6K3c_g)%}-%=a=wNnHX)fk>Xd5&8&#cQQ>IR_qZWX2gUOl;@WR`%=(8Oa+Cd= zN61F~<_f_Gecs%p>VumqIIqBy6?@+DgHGlrHFSluw_77U7sbXKJ2@Q}d`w+Z8@J57 zhb>;Zdh3Vp%o!U_pk=gD^6jGaMY3eh+6NJh-Yli@kriU-t22RS*!sZDO z5~L==Y9{cy6Z)9e&v9=1^NverlWm5ao=Z-!*h~1cF}W1+8MU z{x_g!a;j!_z&DSQ3CA96R&qm#6N&qO3x2K`=hyDX5Xc^(&)Ys37s)eF$on1oJYVWt z1s`sB5_aoT69g%36d{G~$9|%_XOih9i`cid+1!6LC{7ug{`>&w{6=2%2StXzvCZbX z9tV3zS@*seyb$M5dgKvr|GXL@`FhO4h5DrdLR-D?-<9fVPmQruv9Yfd7ewJddnsLf{}D6Ku)ZkD-(VRNL45$s#EsB&ZY2c^LqM@ zEOOzd6m3^X2xpL9E;rG1aA2h{Rosw=cJB$9wU9$5Co~u^2PTbM!nr5ut5DlF#_Y~| z^OK_WdDnxI1sc^qnr>Fc1KpmQ^im>ml1o4$GUp(nD2+;lqnNfoU)Cyp$xxd=~Y zq)HDP0~(^4nXar+ndEb<8a*hc1|(+us+Guw8F z>YbmVdWzT;Y#?uEYGobT(Ap^AHU>S$LQ~+1d{BTyHR@jYs%?WWTns53?KO`_y5_a3 zbx9}NUb&ZJx8PO%3*E;@N|55)4e?sj@;*_=B7p5sHLlQD?!!3&);R0IjsJ#UAp|~t zo}2b*uXkKgRaQI4y(1`~Bt0t94yk7X2fS1@UHXiWpSM6|KQB$M$e%rZLEHeN02TfV5#xjm@y+S zhjj$S%S~uuOpdl_QP=4xDoz3dYj8mG>TnjJpZzrcOOM2kk6X*0ys`(Oghwnz(+EEr z!)TpQK|8yjyZWVDzA&~KaV0M1LcL&^>66dy6nnJ%4M7BrhKWM1(r~TP@2&bjC^30% zlU|sn51%jRor10r(_0Z))FE=auWs3@WaUuP((+?Ebb6%%lXHW}dGnf6mz^USvlqfs z-FjyMUZZeZ;`FP-!d8bS;<(*u8%XXy1gWuxLS`BzNdQzeX!f{Tjjn*ehj0e){B2OTUp%fQU#&y+ zUtq$D5e2RHw(jD^>C7z=VDkB?0Pq!2o@>ax&!wuih8~0-TjxA!XeuGL>2vVyvX?gw z_RH_l6ECkT7y1wp+#OmH&5ER+ zFcCC1yjsDn)H_HiXvv##)nGVtFN`NmC_{|1?GBLO-EY?!IkpbjyM5y$jr@OthJO=q z?Kyjp-vH;CSs|UvNC?+%u$=(TJ5Ci|->hvtYo%QYY4R^{(~K+;8l=6IpfLL~2UgEJ zEfa@VvdU8%Cd2C`bX5oo1CQk$=h`?CDxa+g8zT$V%bGdTGoXC0bUk?*Gq*-J1-kfj zPW#cT^RUg&z^&|Q3{z^t>YeeB|Bw@q7}Waw>FSZ^)deQB9@M#s9FrzobWly)kxgZ#dm{!{3%+#9FpvO3Z%zygIh?>2f@?_ zY3o!eJ*THhh_T;RmYR-S!I{NF`1%yj_Bpt`$h`jch8H%2fHo-=Y=#qt|gO z0peX#;+AxxQ6pdfi)vuH>(NG+dDJh!FvwL4H*=r&OBgX3`LbBih;? zZ;Mgrk5uQG`6{I6kHW5E%%<8Y_U-V&hCgfeYPo3nH1!o}-+BCu6!o5t?}+wq2k~DT zuyh<2q`d>yt#|xlT|3%U__JpqGTj_l{+Zpt&_^wph!iThqo={?Zip6qQSX<(xz2fW z?6au7J&TMNqcr1A3clZ0o z&Lkd!N5IK-bDVA_R*|cmvuGofX|0p&3$csnr`>4S*!op%6p6d1Wtr79*RXN9Qj(iS ziidQFygI(8=tz#AZ%>B5bn7)`YQxb$u-NJO9=3egh1)ebZe6+Bn1bCKqRhV%G85qE zq(GvnU%EImq|)IKW&MGUyYs$O?Tt`s{wN8kFn`N+q8geA5GQAbY@w`LoURQ zqE~9Iu@AK(okM5!zH_H}^a!Mbt4&{hV0mfSe$?{zZArw316!lbK|j^SW}Hf`6RD2c zjr_{Utw74SS{qt8U}9tMt=Z{4XN^72gfLPWQX)<3Y%cV@%E_AjLs&EoJn{YF;0$5s z=3a_+m;R!QuUyO9u{cus^R4z@t7{rhpMaqD9Y zyB4iiAT~G!%m6I*I6yO#?oD{o1azz$e=Fq6wJ_Q0V#bd%p`8_k#~ zjQVC12T|V>a6qTELeOzCUpz*MY-x?CZ+^g%aAaFo!tYWX@k^}XLWJOoSSLbs?5A&s zp0xKB*4+E7cu!)V&QlGFOUCbt7^*#+HJ<;GbZF2+c+do?1-uEu_T5CV z0hQFQGuR*!RM+k`1C1n*gY-?hBS2@qkL`5>K6!l_jLC$W8pAMM?n&l7`=N%mrr#HpgVE*Hdvlu%TFRH z1$I6WX7(G(&yZ!S6e4DnJ=(tK*zMglnHwz@YToL&EP%%zv z{?H#aA%bwtBZ04_Ka|+>gJe7Pu@kGaIJKsY6T``#F7e&deQXvpUR=QUgHYr35ff|c z(ae))>|8O}z0DNCXYgkPhqk>q+p_uyH$L^6N3~DmneC%Z9et7xDwtYMjc(SyOBEp zLIx8HR|?Ee$n(avL0m7o@BXTdWJ5Mi2i4thC#0F-Je;B3xq!88W_pQ4!XrDnHEhlu zOp2eKZg&aJHB58F_3js((*;a*K7~mvkEtdvsY3?GZl8;hY%*q8TBy6}UXk5RV#AvV zbB7V$dd;J2J5CPfa3TG2f_x^|WqTvk+k+*nJ%4BV6cE~w8W~@*iMY<^z=K2o1?il& zq5Agh&)7dD9Vz7SYN}%(wO#<>*|Oc|IYsJHip0{aG*#>jbCjn57W#HZe%Fjtx&5@i zXfi&JpvE%N*Ahg!7o6q-OtaYOWN;0e5x$-i>l~{Qh2e7I_k`;quF;)>V^6pCdF>e! z7MG9STp6VteHJDqqhY5;X`_O#I>Twr;SAQ}3ZlKH9@GjjNwFPs{h+%K59Mtl56bG$ z`KKf=0V0fqg8b;^khtrO;LpR4@fxm_qxzklJSiU{wYRKq2MhNZvI@rBo7Z;j&6N8T z%@atTq!&DyHbY|}oUV z&n$=NrW%n@pgF5Olv4D2cM*ASEp&vK?V<;$#@2~DLR5TIF-4DtWb{hlr%zkAm=y&z zXp_d+-Z?}fEA{Uc^h+IMilOB-g@VptMijJ31=9zj!#?uPw$Wzj zcqR@^)osH~sFs;|Xb9{Z|A-0Pi&9j(Y=)8D%uZPGk5>`w-2iu2X0UVdvBbkz9WV@X z^EHZUTb8lsLS+Gz1K`OVvnj!H2fJTiX0KMG==7wz(+}7%sDU7uOGS9 z8Qj5GsTtp!@mta^eLUkmpV7?ezQup%fx_EN>gLLTDU;U~Wjon|4_{Y*@#q-ddGH|E{>Ancn_*sR$z{5i~2E z(SQ?YJBfMF4xd+eJ3+xYDg`xksG?Z0aS~n_*j`#cvd5FPo8l@zCx(4S(?=%l=kGnm zUpF^5P0+AUIA(+8HDx(K;3-Om*X>6_60NL5ptC4$bdTknydzVlc>}|BdQO(05G~X6_ zy)O0QGkjr;;$SEn1G=9m6b;n6Gu2!U%+yg;H3f5A`@&?=yEo9>)`dozsjr=wqgS=m z$?Y3PmOTz8G-fB3kb-p=t<~^mDj3qq1(TOMc%MF7>k{>eI;)gpsNaa`Tqg}yp-tLH zr#ME_-uu$%agpzPObgZGKJn#A&2aGFD3Y#a5Y<$-Wfm>J#;r zRR}-lB>WKg7gRXG8LXB9>)!nc|cG*nvBg93C%dSAQ8$#7P#i#AL4mXNb|o z)*ZWkx;=`hUE7ySEwSW-G-Svf7t~7|KsA1vI+yBj8Ze9ZvmEL)8~JSzzFOTD)~#a8X$# zqV)vjKE6#|!Xq;ACCleg=F$sf(QS}xA1+^+8GU*{YgXJC7-?2l*QXGu%Y90BwmMAKM*2#9S&^^NRAXCqdjj|CWOpHA=5 zR8VAl?80EKV#ORIYDiB8x!Mc^+~S{0rqA6xC8Mi=L_}|&mz)W1puoJJ4S&l6UoNhX`QJW`oBZ;)*VMaci1P4h$TW-I6ovDu zJtn^^0Yx4E4saEx@RClZwEBx{fy0Ka8}i0AUoo$@q(2I?1;nNNBk}=v^PAnzu>xV= zy6o!-7Hd5l^{}K!b>*b>1eS|EWVsz;a2nf`aY%5#!;YY%3gi*{@`idfq-S8|AiCS- z2g9^;siTQP0cM@R#r!fyE2CGx}+WHpC!8ZpNF2^5EJr>eV1$yX4Pk!Un;6; z)#p$5$s|d~ZGb2_p;|QomDmde1L8}Ak^1VsGr}GA#lDpDEl4weBBZb8Ug*4Hw->Ha z8cy{POf52kf3M4A&tYfm8u-70L`%BOrwJWQYV(lv3qJ`yV1$Dwd!%4x!zCCU3EBfn zzCMo~Rv!6xQjqWyLC0lU$K~<4l8_BZI96NU)ia^--1*9X#5Ma>QizvZ6~4&&(y_S^ zMRT$v16*}KnCfT^vKljl3uNCm+f{Qv!63mRPHmYY#zESEr?V(!+0k4YY^XdW#z!f4 zH7ZfO3}UZ7e=#j{Z~rCrr9GAOE&!>f^KO^d&N6uk@iah$<8X%9AIRymE0bneZ_cOgXDHO`!S4Z3bkfD3xq2UljRb1d`!V}fBi6M#Pv!Q30_V8Z*!}n+m%M|;XYGS zf!&z%E5WrF*9Il&M*Y`ak0KeSgaamC1RYxAWDW=j<^;9&18|+=msL1LpkQgFW(9J# zzCj;372&XaTvBIvPf;R;JjZq+x$@SYXFPq7K~N=h-&#Fgp6qHQ5cyR>6x3X}(k8@0 z5OnMa>x$ZBV}fYQ#6Y&vi$`kw*|AKfj zM8Oy(jITzf&T*hWmQ>JTUn|85;PAJMt@2p-h6_l7wr z#Fqk1)u~NFDrJ=avL;%zm00*oaX2y5FnytSenQH*a1;ZNv`zgkKxOm!)M3m15i?3J z@T}1>8r77?BIKs?Jjs^!B^}lNFY; za0bl2lHRhTLrOhv1-W=*e%bp+?1AvT?V~O@z8RLtl0=gC^Y#@#|No?Zo@UTIf~U1} zhZ|~##SC%h7ke|OYmv^7O?0z6Rt~}hqEkHF!_}h;EtMc!@d|y;5{*64y;6KgRJla40AALV`=byfx@PG9EEKlh_fo%>K zAw?nR(>ZHMa7DyG#0A$@O%@Q%kFR-R{x|u|+J^$7@955VFyoq*OL^WxvZbm>Rqb8T zil~Bm-Cq9UDjiu#`Ff>NVrfMeYW1{0L8AaV=}zkXnbzBkT_Jgax;TwUO$*;eI!yUXZK*e?h-GLRqkmeW4{hueWex!FACguuwYY9xeH5`~V~}{Sd{_Yo2^9SWt@vK`&m)x6Se|B12ZS%h11Vm;k6|%#%!ix zou2p_7?^R_Yp&zP$KBod25dZc(`-}ZeRA%n)7z5Q0!Xg(>k=+t#aHz3UOB`vv*eak z3VJ%ThRDf^0|=WEl$qf;Tl2_MWkFfWgz?!R@uYZ5t|1})O}HdOS_!oq5j00P_Ky|H z7tO~IRmvUd=fOt!FlKyK<|ue#CU^ah6#k`!9>={tbDvQfJct786^+rs$Ouv@s<-Jh zdSSIA_?9)jFzQn^hqzHrh3aorG!(KW864HgkcWyYV4E_znFn?X2|SO3)APT-73|Aa z*Ku`%qi1XjJed?1yA2kA6%3*@-2Rvh;PgB!fV@GaBJMAZZM`q4i)utAn!Kr*q-^aa zuQe==74(D3slBOwFD1wd0cePcvB~f4@6dEC*I5?>EI*Isvx(N{d1daIZ~47{mRyz zfvG*tG*G4{T3TenXpnA&@jG{!W|<5t?1ph1Xm@Tw4L;9YPE6({OM>6=I_$3T8N$l} zsx+0t;{L7`%Om{nHy>&K&9y0&@_t#+v4nfTo~83@-3O$&e$tLs8g_|GL?$`aPG72( zc9!R0Ork#xmOo!3ds0)dwVv{y6E-P2&Xg_&0-xD2?#<_DF=JN4VEf>7x+*3 zOJa&!ya^Xup>mj~o-NU3q;1~PWTEj>POiPVpPlfJU`o~m5R&UjENyK~$U|T;3A9;%`wv_X; z?jTfv3i*PbcH7Qg=}${@l#eXOQw_9b>Y43+or1P_`=4LeK1m&8-$mTv`a#w0d85~d zE|0O%7HOCeckH_5y+s`ib~Dd*nua4qsW9+s4d~S3vXyB2Y85&9*gPQ@qNb&=?c^c< zwp-aDX9Nzx*$=F-T{>u}M4w|XPtDwTPQ;|Ng)_P=IKiH7I0P475#QDm7uW$Zn|SH5 zabl8K?tpdIcX|g&+X%#6rk=0zHX+qTpX3Ylr|^MmP;0Z>QNIrFVWuu~1aO~(zBA-B zf363-5Brh@mrlXHJ|U96i&$O;D{VxFlSw?Ld=+n)g-^WiYadSJM_X$BKkqKzJ};R* z{U2luQ+cj1Tc_;pN}5sy?Y-$@?o!uI_cG$05B^tYZy6m&53CIuVjNR!$IQ$zGcz+Y+hdF&j+vR6 znVA`5W@ct~3^DUg-n;kgclO_I&pEBus8o8Y1g-9ts@kDWHKwjueR`J9znMmuiA}g+ z25u=*seOKmw4cu9ms_20w>RcZD2$S}=`#e(+%c-iLZ4wQMr--a!ISEu%x~C0vRDhT zG98OC%sIC^%@r-ZFzVo|qdCRf(-%`(Gu46HR2400kDcZfR~3~hMb#cPCM#Q01H=Cd z4n18Fl2Ltx>Y5U@Wy=2V(^6w%@}9$n8a;WKpf$CbmM22;TrOK;H{gMj4iy8ZY}J zl$fp;uRXjpg3wRW?N2&M1A4|NjudZ$Vz1qpmd*))k2Dt3YW!Q;BfEza|DIQLYb`NK ze?TG@e^AI%AneV-#klAgz|#%cr|K43!^OL304lw79sFoAT+(`sOE=41+QY-Dapyc z_b`jVPUE*erzVCvzYC|KwIxErAjgl^`}^Ul7Vkj63Gbfu*Vd*-hjHS08ZxP#*hnJO zgK7Tf3A5BUl5L?8;Au^_`|IV)qK1K2RJDbCsW|G<7ytrSla9>JS2NP!?;+)iXu(wq zfrlZAG0p(mdqoWq1k{hvN|fF0P-Sv)SIqZ5k@nh|@2mvyU-pUEO3KLnv@54g*+X7Q zFa#yw;b)BK*WO$2F?W%< z!$y^l4h}{yW3!suxptmmDa0ovB)n-MX+(^u|5uX_VVfua~u zv^O!z>Nf|RSg4m8drN>wev#|rZ0<#4T_-V0eFi-3B-ewUK<=n_Y^cX2%0r^kM>Z>0 zwp{vXLoawx+d-hrOrJV0WFECiy`>myR`84bG%5d(=#j4xJm<&7%4}pZzbXa4ExqK3 z?>(8MW%|a(iyV!7;<&-RBq{(+QUb9ZzU%3G<7D+umlm;XvX|W0>RG;s>B$tUN=j&eM7;lql0+2qt1bi}i;vMw_USZcsHPa@T6x>Ug2pJrwr9bW_|~{bBjCX`U?N?8%imyDd_zD; z4{*k&t2HZbO|^EDpizH_Zm^yE^wQ;yuuR5K$87;UY=wlQzWS?83}P0(C4tWK0Y&at z9cP1WzV{B=-QtvwO+O4?FyUy=510?@&)IFBC&0&9@_SoHS4ikyzRPUKZ$FbSkBFkk zS^oO6Ev!{3S^!|c z{8U_)7nmM^HI;$L6g0F{DUapqo@uN}J_GAQx2*_pOzCsMDi*A^tFfj zz`uth4hwOAGP3j~lqb-&DqHoCJFp8+62n8?!)hy(D4qH6An8HxH~y<971$6_yAdpm z5Wr4roR*XSLaP}q$GLa}Rpk0QAa)=j5UHHst5263f*Ka}>;6iWuDz{37WE5v;zErC z26QRC22cnZ-dIak*hKUQI10Y3n-rK^tmmhM;@&0XHZP?qEug&{sl}!-KC5ObHa^3f zdUca(DoVPH<0HB3{Zra0)j<#T7 z(NO!_c{Z<`iu(6jKXxl;sXI!v@>BK-2&V^h#~=?lk0ZD{oK7ba>{$1B6$#4NVG6&% zL6kr|I+R^;$KI*1eG_Y`jX-3Cq9Hv^OLK<w=*E#4;Y*A z_jRT2Wd+&SHnam_>p#GFnd*1&PvVU>;YP1Z@X!XYmACPP+0Thbbkr{j<6R=3V+6jO z=3Ku6qISFkbbZczu4=2cB3ORZwtszY-~DrkOBUy;bYOXli28`s=S1yt8&TmwGI@K+ zgX8%(MS)JoF@;>pWWp@c{>dPEpV+Hg)?dc?Wn+aTV#GM#92d91~k-R>Ie%2PB z&P0oUg%DS}j6(wb>B464;QaQlQZBmehjwN8!beWD1_)1=_2WNnd3r~!*Lyj;j=|hl zWDcEf&uh*CBB-}c4#(0tDn2k~Nk@q`5!8vE8@Ufi{;Jg!$FFRvZ8#UYC8HX@WEQu( zX4pWsK7b_+;;ZnqGxMEEzj<}i(u7w|>bKK);Qt^7MQtmB;fFG$RoptY7v`o=F{uz7 z^$BB-_81YWI>Z1io2}lnKfDDG(+IR%R=WGt1wqs7j@uv|7EjyWs`09tyXCEUt4tYs zo9b|eiSdk^0Z#Oy);DVz`PPt+v~x|Pw2o(Vio9R!4rDFo&`~Cd(RHqgqujEZ8+sQ+pnIPN5}1?$kN$vwKAgemt*GCP zu_Sd$(TJ}2NWQcvPvP zTYIo~Lp3t_k|zjH=_}0D6TjyMsfFZHLJlf*sjw~oAb8)~%I%-de{Bw~*B2%Z(l6l% z_s$d%(2VsIqY#h9-gN~%c=RJVu(naRiogiy?ci`v!mnDxyML8b6Xqdi5i<3`j;b9f zkqO^Qvoc3sx17Wrmz0Q>f|K$$1IEb}P(njT33Uj5%S4uu0D_U{HPeJJ$SIrCpEp%L z7*UEQkL#Z;GBRY>j8SC0{>nbrc?c0KpaLI+oRQ1f1FpXtfgjXXO$!BsRno}eZtwB9 zzfxy7o_0(<>2u`LiEaD%Z%MM4viO{?UF{+nB&OYT1NX>j!;Q-NkL3j)Zytqbrm|3` zj*{g$`&~|z?HM_%yE6{Vz2zt{M?{)vM9Vs9o;rBv4ic}@sK|G$c0G6>!;Z3ymXkbg zZR%h@+njg%=0_aD>Srg_ZWGDYZR-r=(#RL>LNMky=zwu zEtPT?O#Q$R$LNGeQhUZE#$8fPacbix!UM=6y)YV&;J?(R` z0da|cgyQmHw{fj`Nhw6wKXEA?i-VyAvRs-FFsD{-)Y{DF;J8@ZgK_CGP0z7q4d)Bx zJ|t}BEnN@YoK>XPa)j!YA3LriFD9I$yh`Taw)b@?E10%|ZUDmA>$iHTe`MW}@K3bI zlpC#1`LelxFl6ZcU0EOz<{+jS&9Kt!#L?M$jFz}B)5e*zyp57dQ)jjvTS|X?S|)eZ z8WRz!iAMb?o7m8KZioxx&TN)VO!PVt!s!`NSEW6ng&VjA-fc__SuNE_#6-{hfH_@b z)ef+SUNR|Vg=vKEx+(XZ4rjzAq_DV~B>JgF%yVaB%>ZeU-SM@+Ym@=0=piHQxj;H| zERD?P0#dl+hk4jeO1sLX#jmkY`y~20wQi+>UTK%6)k4z_PZJerSLwemr2~G3;Ah>V z#4_`gW8PXB)RBmIPW5%cv6p=IrWyPnc65yhMuQU++-crArbGIZy|}s0f+9TN;&vYY!lO*XlaVY35s*oa)L%F%`N!j12Cvee0qgVl2dJ||Jrii_tn9Dr+wS>arr6h? zsY$avn8|YS=;t-&Eddb(Eb4>HY@1w^WFKnk1kIbf%mCq_%{Si5jXexHj6EbbPqtQB zErnh##i{l4^1m92wymwnhB>o_*WO*&F}EFPG2pkIZ)>QYE0yS+=d-l*f39D$Ce&4r zR!@r4vr5@_&woji9!+#$#l3bG3bF59teKt5Z9bnhie}%zLVX(5GDihGx1~vq8*r z!%^)TVzQanWW135h$cvJD;*b=jXs)n{q~MgY!q5=)=uWFc`nHY}db!e!{D3x${k%a^lgp82n%TUtge@j<>`{(MY1*=O0Qc47AXzhAMx#~xuv zHMVSJn+r_B_V+xYLQ8jt`P_k>lfA}+x)?HbUH5fzqp}(1h~i@52b-N>2CL; zosL!$WW#T7En*fitQGg!_~V3Ag8c@NAebV!u$r1C`pzoBnN2Oju`#tZpp&y;jtm+~ zC09Grfwjf<$-nwo*l+qYRM= znql+++;y*xKfF*gP=@k{rVef1fe* zDR8)hl#`zFQz@unP9lp`2xy^6;1e|jBhH?Ag%K)Plt-WXutI@E!ncgHig~~hmQZ7c zLEXt*7$T?BBBK$!cpCjQnZ;HxSV@)^=jadl+-Y5SX0UV->Zk+^m4ylf{QPtonVoX3 zLevvBpE~xMMu_ai0)_NU7}UG5<-Idn3^6-n|#bu*&E+>y5Qg_U0rmQ(b4 zhNcIwz%?(KhAArt>v!X-(RK`>Oa9`z9VkV+3-r~D!5JnXEQ3S|Kyta2AyCPZQhy^$FX9*YXs2+7MKRS zFuqi&&^aA;dc@JXX+iRz{zhA+H%85$gVkD z=#N>IRoz$NY#{#KYZJhRBC_cYF_xAUEP14=pdjhfS(0bL4Z}*^hv!rjSd{-byBIf@ zLyr^smsA`->*-F(AdyhSN_q$;vDlwGXkz-ioS@EyP^A+4Tda!x``HvX8)xK)q^bfl zKknj8+?3ocz`8O=m`BCIeoA=+ulFd`GaY&$r13>B^Qcn2p=Lh&1P8XhKo9?`!-+K& zRo2IubO}<(J=qg>U9q#LyA4$;zxdKuMdWnEzy&l5{IZL(M!!^N-l~EG?k@JYo#B_Cf3# zpcRrKa^fM95#H~Km7v)lGAt~0a2+AFsmDMchNXwQPZv&>UJ4La2<29`40nQw$W(GK z0d`#fW?Uf0V{(Qq+voCc}YHjJ>^xrE68yaoi&UKF9?s5yr{`9A#Q6ph?{{djUSF^uD#TkPLAB- z6IWooNtm69%d(6NNu{>Hd3P(`voD}58pLzj5%-=HGx-Eq;5#wBUl)OKn*^=VOYFg# zGP0xz#7_00XA6tt#=QVeqeL#H3zwJIlBi&e#y75*TVo^oX|2PU(<3ayh@>h*J@sCRC0|Abk`Iz!M4IhsJl7%}qw?6|k1VJR;5EwIHl`q8{XNj zvj#pseBSr!*Qt$pfJ zJf2os;yElmpDc5z%rJ{hv)b7m>NP5zfKKlCrbj~;M*b!wtt8VCa_}0IsFNf5K=K)@ zyg>FVPFEn#@rZjm>-@WNdi<#B*i%%Z4q>8ln;j8(6UBJeIg)btoc}SyHGG-ixFyL* zHU6P_fGWxIV8NZSy^YS=V!@udyhKyuxP%{)LPDI)076lDHDQH19c<+VgmRN{frO-* zMywhwyF(^-oyBK@!^)1#k3|+c@&Ke;TF_%Y^ND3?iO7usZO%rjW4g5uX16P*)!9Vn z&vIk`w;+jcxhe+WGR;uN z@Zz6r9-0|CoSe7E5a=yOyfH_Srx_2T>IwJJgIYICa{65rKPVD@yhr5-gyMTgb$63k zU+h-=yqsJGl!nV3yHp&7=~>Cam9s0lz-mVoB+qiSnAbCwEKFF8uB*!JcNeBj1CeKC z>(B1fMv2;-%;#GxircBBJ1mEIy6+xwZ(PN)or)=>ewL~>3{1s8>#&KG7h9Xuh#z(w z)Rz_)Za_Mrp>6lR>E(HUPj!7w+Mqpa0G3ppMV3&gXmIzNGbd=Y_L`v@Be%$g7aN#O zv)RV$1Bx>zje&_hIA%&MZmMqbJkf)9^V?Bug?dBEMQ9pz{(Y;LGhF^|hjMI$1_%v191Tl)mE)FI?-gmK2B z*r(r5?b(83h|6nX(VeM7;@9TP<@(wXok!!?76TKEKM@>I_Ggr#Zq&8z4IgHQPMIws z2+aHNn~gyGUyU(1$M70gP&Uu|E|0|+*+oku=4A$uN!d&b%DuITNi=8#uV`kk=adGU zqv~!RW|~>&X<*(LhdpHa#E*tQC*i=%L%TGoyYVR1P~ciUL$~9Z0@fvePZOd3z}09D zZmmyh48k#Hub?ZJpjd!OJ{*?@+4kZo?q1=!h&v3U<64g}%=iGeo9|%&KZA-$oM*%+ z5z~Uyx`E&9D_;-Zxp}w!d4u}ZE{7eBw)}N6WRva7KHXO^=Pb^GijYM%=$yr&J6*FO z)u>%9ZWjyO29}@=oH+!))wR?t+X?wFKX&sHXN1zx&7lh$6BnBO#s9*&Ms{<`_pSe~ zapwLbonki!-A00gJWS^udVR1hx=D1(;p|1eSBSV9m5 zVMyB=J1+wfn+GfnUC8Q4fat}<8viRTh^^(nkZBfFXulDN*a(DGLe0v=#cB+cq{jRo zD^TfZrJx*1d;b&tTNAaK_GbMb#=)Nd1pFU#vhGb$t3Z&bAQ(6_{}Go+Era6!s7j>U z{u3S~0?8nL;s0L$kKB&#|49h+9jAfMjf_nr{>~Sy29d5T^?#_PWd8rHsDJgcc>-b$ zN(uA4cami?~pcMy}mR{aG2G}r2;7GRwb*j&f;NZf$>kEyo+e!1e>|j5m?F%qV1sZ#dz}d7Q zykt{6v*T*&F}ofq+evY;GWnTBN$UrPR@Uo^KcZ#bTGr+GXS+7-goXM0MZW9j_BzB< z_$uG+^~|vUiL#YE;D8xHdNXzqe@S7D^MtQ-XuKs{x2WtF@J9H>@7?%$a)tkPe`CV& zIjxt^`RcKz!c@n*W;BYL$-1aO}ja;!UZA!C{9L_b^d4%{dU4_%-VC(1e@n z@p}%!g?zcmAmibEbh^a4j8t*3hm37j^Rmm=Gy-Y+>x)X5&*2I91PYmesc9PnhW?S9 zo_xxPK;q{&G(BB&6)5~am3bS?Xu8vMUJ}{-k5BFWis=F0xlOpA{pN0*Jlol!nT8~ApUtuIW*vG zoh8n?7rN3|pzm_RR`?F1iH*(uQqZwz^dV{(g-Q9jK>RT?(fszH${P(C1_oMO{o?*j z9JNfHM5uwcg^=JMX{8Y)k+Cd`>~eXc_9pSC2HAF742>`*wN@NMUp+?@kt z=*gKlmUe(>uh*zrF_zSomIJ(Tj*4b}BLz9L zFl<{Mxblptr3Y;3_Qe5DaqsBQWLl460&$_5Ri*3+x>zBi=-pTIQ=m=`xw3t4Pb+k2 zH+ZR5Jzy14iwzUNa2GVbCaE@wM%3|PN6IxNg=Wp546$pXnanqO+D2BT->V`Isn59| zn(9PW4X$WM{&6t2F>4wfVr(wgN%&UFj;6pACiJtiie?hAbne){2_N0i7KVPQ*`X5g zcly=nfHB7RyO$KimNMoM0D&jmk99w#!HNsqh zOLcl3MxNQGk~8whruyKi_2>P**603GKas6{?H{_PW~+#%qE9cN=KAezg!T9HWMh$2 zHrHINJB@@*aYE8+eC`nO9ofS7)r-x^e|m`V;pdO6O}0F@1_9DX(E8<}=D zd%E_dYBh`;eVf{@sSazCn2HYTy+eK(sD6uQ7WQmU;VsLAe=`Uw3bsb-_r)^$khLzNA_Mwn_zTn-@luoHVM5%m^?w4NcLSfv3XHV-Q z3VJ0`C?PwR-+m2Dx*2lR6NSdIqIfakIkNC*fv+tmHGtBx&6~x*S;Y9C;LW;@Md_f< z(4w446u~dJwxOS`jzw;Kd1$IUP2%3rf_zd%zIkv;`=WAiih$BZT|L7Fo@abDt`aOg zO`9-*vl1!&UsV-7>k2j$K+If}LQS$Grg!bO{Gt93e)+<%;ki1K_OG61Q^2zDv76e) zx|P6r-A?Gdef;&&k@h2cC*Ju2&ugxk2Wft+;Rdm$v9a{ycRu7ZQkMICXDkzbRWG7EDoR+2J#8>5BA}+?vI{*h>fe(!FTqk*RH`|tV5G2 zQTJv3!vF#wIL+-kr36qHqI^#ne)%mY4=?m5&{EbfCMol9YiNKo&iqGLuh9AAlCTcl z@_az^+DvDaj1Is-Ex1*+KZtG(QAl^#T3GjA!*@_)F+1~Xl}?WbHGGFA6b*m_pL}Qq zsNtgzBz4$pf^RT42~arb;%}5oJ3(6Aw)yH%LhUR`0qksXHvH}Ea^~kp2)?`iCEwAZ z6leQ4jy)<6Y}aerM6l(|7N8Za4&O$*2l(@3gO$J%HXket^FY> z>pK~+VfiQ;U9)Y@n;ekMT*`s76D-OZEMAwHJ`=}g41$EurfW^=a(dpSJ`)2f-r_ZW z(@lF=0v#5 z?^NtV{hAdPd_z?j1p>ALog{^g;jtp=yKw@Ae*tI*urFp2SPLn{z8xgV$>92wbah{_tOm zcO6yBjQXbX&n?cIn@{J~FWNP)0p7378B}xK6BM9PvesnC_se`4@lIV$mi4z-3ETbU zA%Y6+r2E{MB6<(`)Ldp+K{Q?_!KV7$uW(Z;60Yh;fvletgrTkCQ^83}D z#CMX+`t7~Mj3MezDe*HKXnukd(e73HT;ozW;sHOLN*0Zg{Awykce2{93 zs3$wu*R}WiCabuA_vhL3popJ)FakX}QIy%xdIhcE121X-!e=-={IFWHE|qYBbk;pi zee|%a{;~A1&yqqTb2w%yM5fPrYc!<=VOd`YFKT?b)r;G|>bgGdq~&RIuO7` z{9Q&kSuu{z7{a68dRmI%r?dHi(EiMH>Maa?lM{+G+#rk_QKTSSJM7PP7RbE;@sOxoKj9Iy0yOyHh$9&nCC`&}@K@b_3Rh2R0~tG9Z-lV33%{dPSZyhPkWZy@u&=mM{%&@TIg0d_qeu4@7- zAC0e*5(*LG#hu`@ErH-Z7L1uv41NpXaehgkLCrvk;7wb&=}ZbIz&mo^K9c>jUH7sf z+;3(rG#K}lGVV~)Kppi!3f{dX#}rl;75CkV9>6o~_GIP_LR?oCoeI@okSX^Ov-;mU z+lwOBNrLFJR^W}_np>~8F2?93iQ4+aQ!iJVe@K#ZifV^lePb=`REpOooO=lL2JZyf zE5!J))B7R4_L~a4m>2Bo+ia@zz-=9t7Ie8F6D=+WXdoD96qE%F@In)r|1`_*W2Dfl zkA|y)(SL%+(8{@qE-QFI@-USnK3{vdShjtE(N>1sr-7HG{l$rB;-IZ+9`;qM=~xrc z{L09eHw`U`gAOJYfFW59CE1?ujb^|cS_ra=!)Yl*hD3sxO%*zz z=g%HaXp5J=TRU#Hfqw!8(Qjt)N>YeqnOX{QbG*g=YH%G~Pm)ijEb!Re^9#b$qK)C# z;M$f7|AnoAE1G-2PY;DRvF;#3jO7n5An!BIXO~2y+JWpTO81RzeDX(Cu>pO55R1#3 zS?Q6i@SYhla%j#H{^7K6!a=|_X4if<{+=a>s` zs-wGzJUcZ&OxghR>e=cA<-_bry5WV+n0zY4Eh}ZVkMFn??8pb+(S2mhayh3C)Zvh0GdOp z<NT3!8hgG1wM3IFoZmBAf~4 zc|cf;v3)PwOzIF<6;2f?+>iuYhhhv1D~ICYFqR}W3f#W5F|9cTfX3KqA7vEnzd9LA zLIV6K>c`MnW39f!*q*i6=rI+Q`o^PwT`QKzneY5`fI?2P#40O#DixdKs6EST8fo>6Puh-G@Gjt@*SZh&7R}a9*YZ1LkBWS60iq z%#x5pJRG^+{@_}?sBnAO@lg;`I!X{yO?jzv{{-8*OpI}0UFLAuVd6iej*aXW^Zs^@ z?iW%b9JIIhHhCEZ5GO~aL3Zqjn~EDpcpXmwA99^d=(yeVp`> z^L?B#XhYN$vg}{>v20gMpbii2))Imp)sN0sg}H{I6sH^jhc-B4yUXpRk6S4Sho$+T z8B>cQQix-84qjrvSjJ|bTcV=;>|_-L3Z)kp%@vLs`=g4WxwA%DC=yAyQ7=Nq=-kh; z4u^;p%QL&L8N-n)c(_$P`@tx zq&S}!wsCa-BSp&oPaj`15+DYS3dL;LqgNQQb~`*?>X&6W13u&ZaMd8(dJ`~OcYjZg z&O_R1`aqKP5nL2SQ^cV5e!XIKIyvNx1oQF}lIj|=Nw^G(H5_^5|L=`P=gZ?}3}FXU z%y&xU#~GxRJfrqP8hA#KvkDbok5W>k9Ba#vbis~rghqR2i*q}p>|uo4Of0#fgkVF0 zs1JMCqkl4_{;N|)1*!Rf1Y4tQj3Xe34DJ>rLx#T_JmN-4(BpygcEXUyKgI6xl|Z>p z10x=7aIT(rxb(5Ksv~S4I?qxfA4>lY1G1YfktICjbMV$kM>zmP@0?ygkzS@}2ZN0n z#wTDKKUmY-b#f1xAn8lQb^bIG=ZY1$<3ecvbv3}X93|dDpHX&PJT}$IErQb4&OLO1 zpf^hz4faj;T>lI7qvO(hEEG!q*MEs*dNh3N?>y)y>K#(a$!u-1tPoH~WQxDU)X*7F z&CFc^!}%Nwp+w&z9?PFokd;agY&RrgZj{jHX|l%Q_z2MjoqKN6FYF9n=c${&^WHp7 z+Ql2_?#Dm55{rm=NXq!u7P-G#^7%Ul0k%(PG2OXilf)Bsj&p4`>CNv`nP}T5&TO~6 zYls)5TcX*%=o~imu>VMs>83s@ZzLatYuQl)=r`>w?tiHnqfM0S)qsM2orkD(?6{H= z(X{^YfI^h)tES#xs~(&YnLA(l-AzCdv-L{D#9x!|Xvyt4v;uaf|#QLDMcAJ7NM(}lnxaTW$Dsf<= zhjCzDWoTZ`V5Glnw1hUF1jg!Ig25Aqwfx`QAY?S(3qhrkU+h#r`lfdYMlIVOdrZW6 z`<6U2>@wm6hyh{e+N2D19wRQ5Wyc|4G_GhC?WWs)fc)zt;wndZce+yw;yyy&e2oo{ z9Xj9#n~k2=at?%*v{fS-amvdoT*3!LkbJoiLhR7i6G3gv-Iq|Za*sx-Jb{vpSkJ;g z4qBz(&{ioRr^F^_!vq4M_vU%0Oqi!>__T}Et(n5CgVL2HKmV!*yU zNCoA3hBXGsaQIu%ue+ogQ}l!m6>Y?Odgs?km4ql!QPf_M%v=>_VUz`U{>ZY=>tUH} zd3Pvn%yu03w`DmS?YWo#wB`q)%LYD{Q@!f5P{@h9aK@C&UGSlZfWCo&GA2d-xGTT2 ziyN`ruGd_A=7VJi8cYjPrC>r4hxysQ{Rh40z%K_tHzshk{lSZa-mcRxTLKqLdaR)* zM6_6j7OX)k2bRU^;57$v)Pm81#3J$p@aRZDo!}oj*5*Enz*NSurX-vetM4kuK2DIO zFRJr2E?EFm8u<=fN~MmkTO&iwCnc=-TiA0;x7=yQVe4{6N5fWNRm@|Jj^9x9aW&-` z-e*YnQ^s)f=js_WBQd3^{>c;0<66!Ou}sHT;O4crRHR$>A>SmvfQybZO6Xbc+q4&-2~;7?wnrm%&p&xnWj!^hXMF@)Dwn%5WU*XMjM&%^gu z1E3C*Ru3~>-M#-w3` zb6aJYeTVQMb>+aAZIWCCOi4p%V54hzL;H{}@jq(Ff!94hJ;Q?`fSiUTomPuf;?qN% zw#F*R*nj>#;`B{NRY9Zw7N_~-$dv%ct=c&J?9|FtzaM=QZ+a1;#hwJ`wf|O^er%OO zIE9aQdT|SGdtiSXdD^K-qJjMebqSRC=i`imp@^S%T1}6TV}H8zn*Nj3ElVzwD3T#< zevqq!q~FUYWNa|9Y9&f6s7<8=TdI$;jj?Aow|~i&@bbh`ccmq;hVd--99z^tD8-ME zDbZtmAnS?6$VtU}Z17jE=g&{Ve?G%_r*(@Lt--+lc?MII z0f#_`{C`{n|DXQE{<#MJ-=o>@-_`$5N5TJRA^%*H{ht8-xhDJHquK8e0nK)W?*IS* literal 0 HcmV?d00001 diff --git a/Solutions/SentinelOne/Package/createUiDefinition.json b/Solutions/SentinelOne/Package/createUiDefinition.json index 281471a9999..beccc3faaa5 100644 --- a/Solutions/SentinelOne/Package/createUiDefinition.json +++ b/Solutions/SentinelOne/Package/createUiDefinition.json @@ -60,14 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for SentinelOne. You can get SentinelOne custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + "text": "This Solution installs the data connector for SentinelOne. You can get SentinelOne data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/SentinelOne/Package/mainTemplate.json b/Solutions/SentinelOne/Package/mainTemplate.json index ffc7099e8c7..824a5a5da0c 100644 --- a/Solutions/SentinelOne/Package/mainTemplate.json +++ b/Solutions/SentinelOne/Package/mainTemplate.json @@ -28,6 +28,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "workbook1-name": { "type": "string", "defaultValue": "SentinelOneWorkbook", @@ -41,30 +55,27 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "SentinelOne", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-sentinelone", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "SentinelOne", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "SentinelOne", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.1", + "_dataConnectorContentIdConnectorDefinition1": "SentinelOne", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "SentinelOneConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "blanks": "[replace('b', 'b', '')]", "workbookVersion1": "1.0.0", "workbookContentId1": "SentinelOneWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','SentinelOne')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SentinelOne')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('SentinelOne-Parser')))]", - "parserVersion1": "1.0.0", + "parserVersion1": "1.0.1", "parserContentId1": "SentinelOne-Parser" }, "analyticRuleObject1": { @@ -200,57 +211,108 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOne data connector with template version 3.0.2", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "SentinelOne", + "contentKind": "DataConnector", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", + "contentVersion": "[variables('dataConnectorCCPVersion')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "kind": "Customizable", "properties": { "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "SentinelOne (using Azure Functions)", - "publisher": "SentinelOne", - "descriptionMarkdown": "The [SentinelOne](https://www.sentinelone.com/) data connector provides the capability to ingest common SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. Refer to API documentation: `https://.sentinelone.net/api-doc/overview` for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", + "id": "SentinelOne", + "title": "SentinelOne", + "publisher": "Microsoft", + "descriptionMarkdown": "The [SentinelOne](https://usea1-nessat.sentinelone.net/api-doc/overview) data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the SentinelOne API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", "graphQueries": [ { - "metricName": "Total data received", - "legend": "SentinelOne_CL", - "baseQuery": "SentinelOne_CL" + "metricName": "Total activities logs received", + "legend": "SentinelOne Activities Logs", + "baseQuery": "SentinelOneActivities_CL" + }, + { + "metricName": "Total agents logs received", + "legend": "SentinelOne Agents Logs", + "baseQuery": "SentinelOneAgents_CL" + }, + { + "metricName": "Total groups logs received", + "legend": "SentinelOne Groups Logs", + "baseQuery": "SentinelOneGroups_CL" + }, + { + "metricName": "Total threats logs received", + "legend": "SentinelOne Threats Logs", + "baseQuery": "SentinelOneThreats_CL" + }, + { + "metricName": "Total alerts logs received", + "legend": "SentinelOne Alerts Logs", + "baseQuery": "SentinelOneAlerts_CL" } ], "sampleQueries": [ { - "description": "SentinelOne Events - All Activities.", - "query": "SentinelOne\n | sort by TimeGenerated desc" + "description": "Get Sample of SentinelOne activities logs", + "query": "SentinelOneActivities_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne groups logs", + "query": "SentinelOneGroups_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne threats logs", + "query": "SentinelOneThreats_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne agents logs", + "query": "SentinelOneAgents_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne alerts logs", + "query": "SentinelOneAlerts_CL| take 10" } ], "dataTypes": [ { - "name": "SentinelOne_CL", - "lastDataReceivedQuery": "SentinelOne_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "SentinelOneActivities_CL", + "lastDataReceivedQuery": "SentinelOneActivities_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneAgents_CL", + "lastDataReceivedQuery": "SentinelOneAgents_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneGroups_CL", + "lastDataReceivedQuery": "SentinelOneGroups_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneThreats_CL", + "lastDataReceivedQuery": "SentinelOneThreats_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneAlerts_CL", + "lastDataReceivedQuery": "SentinelOneAlerts_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], - "connectivityCriterias": [ + "connectivityCriteria": [ { - "type": "IsConnectedQuery", - "value": [ - "SentinelOne_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] + "type": "HasDataConnectors", + "value": null } ], "availability": { @@ -258,109 +320,90 @@ "isPreview": false }, "permissions": { + "tenant": null, + "licenses": null, "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", + "permissionsDisplayText": "Read and Write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { - "write": true, "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true + "write": true, + "delete": true, + "action": false } } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "**SentinelOneAPIToken** is required. See the documentation to learn more about API on the `https://.sentinelone.net/api-doc/overview`." - } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the SentinelOne API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Parsers/SentinelOne.txt). The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "**STEP 1 - Configuration steps for the SentinelOne API**\n\n Follow the instructions to obtain the credentials.\n\n1. Log in to the SentinelOne Management Console with Admin user credentials.\n2. In the Management Console, click **Settings**.\n3. In the **SETTINGS** view, click **USERS**\n4. Click **New User**.\n5. Enter the information for the new console user.\n5. In Role, select **Admin**.\n6. Click **SAVE**\n7. Save credentials of the new user for using in the data connector." - }, - { - "description": "**NOTE :-** Admin access can be delegated using custom roles. Please review SentinelOne [documentation](https://www.sentinelone.com/blog/feature-spotlight-fully-custom-role-based-access-control/) to learn more about custom RBAC." - }, - { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the SentinelOne data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### Configuration steps for the SentinelOne API \n Follow the instructions to obtain the credentials. You can also follow the [guide](https://usea1-nessat.sentinelone.net/docs/en/how-to-automate-api-token-generation.html#how-to-automate-api-token-generation) to generate API key." + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 1. Retrieve SentinelOne Management URL\n 1.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**] copy the URL link above without the URL path." + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Retrieve API Token\n 2.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**]\n 2.3. In [**Settings**] view click on [**USERS**].\n 2.4. In the [**USERS**] Page click on [**Service Users**] -> [**Actions**] -> [**Create new service user**].\n 2.5. Choose [**Expiration date**] and [**scope**] (by site) and click on [**Create User**].\n 2.6. Once the [**Service User**] is created copy the [**API Token**] from page and press [**Save**]" + } + }, + { + "parameters": { + "label": "SentinelOne Management URL", + "placeholder": "https://example.sentinelone.net/", + "type": "text", + "name": "managementUrl" + }, + "type": "Textbox" + }, { "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" + "label": "API Token", + "placeholder": "API Token", + "type": "password", + "name": "apitoken" }, - "type": "CopyableLabel" + "type": "Textbox" }, { "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" + "label": "toggle", + "name": "toggle" }, - "type": "CopyableLabel" + "type": "ConnectionToggleButton" } - ] - }, - { - "description": "Use this method for automated deployment of the SentinelOne Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **SentinelOneAPIToken**, **SentinelOneUrl** `(https://.sentinelone.net)` and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the SentinelOne Reports data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SentinelOneAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SOneXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n 1. In the Function App, select the Function App Name and select **Configuration**.\n\n 2. In the **Application settings** tab, select ** New application setting**.\n\n 3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\t SentinelOneAPIToken\n\t\t SentinelOneUrl\n\t\t WorkspaceID\n\t\t WorkspaceKey\n\t\t logAnalyticsUri (optional)\n\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n\n 4. Once all application settings have been entered, click **Save**." + ], + "innerSteps": null } - ] + ], + "isConnectivityCriteriasMatchSome": false } } }, { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "version": "[variables('dataConnectorCCPVersion')]", "source": { - "kind": "Solution", - "name": "SentinelOne", - "sourceId": "[variables('_solutionId')]" + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" }, "author": { "name": "Microsoft", @@ -371,90 +414,1698 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "SentinelOne (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "SentinelOne", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "SentinelOne (using Azure Functions)", - "publisher": "SentinelOne", - "descriptionMarkdown": "The [SentinelOne](https://www.sentinelone.com/) data connector provides the capability to ingest common SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. Refer to API documentation: `https://.sentinelone.net/api-doc/overview` for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "graphQueries": [ + }, + { + "name": "SentinelOneActivitiesDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "streamDeclarations": { + "Custom-SentinelOneActivities_API": { + "columns": [ + { + "name": "agentUpdatedVersion", + "type": "string", + "description": "The version of the agent that was updated." + }, + { + "name": "userId", + "type": "string", + "description": "The unique identifier for the user." + }, + { + "name": "threatId", + "type": "string", + "description": "The unique identifier for the threat." + }, + { + "name": "primaryDescription", + "type": "string", + "description": "The primary description of the event." + }, + { + "name": "secondaryDescription", + "type": "string", + "description": "The secondary description of the event." + }, + { + "name": "id", + "type": "string", + "description": "The unique identifier for the record." + }, + { + "name": "groupId", + "type": "string", + "description": "The unique identifier for the group." + }, + { + "name": "createdAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was created." + }, + { + "name": "accountName", + "type": "string", + "description": "The name of the account associated with the event." + }, + { + "name": "data", + "type": "string", + "description": "Activity metadata." + }, + { + "name": "agentId", + "type": "string", + "description": "The unique identifier for the agent." + }, + { + "name": "hash", + "type": "string", + "description": "The hash associated with the event." + }, + { + "name": "updatedAt", + "type": "string", + "description": "The timestamp (UTC) when the record was last updated." + }, + { + "name": "description", + "type": "string", + "description": "The description of the event." + }, + { + "name": "activityUuid", + "type": "string", + "description": "The UUID of the activity associated with the event." + }, + { + "name": "siteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "activityType", + "type": "real", + "description": "The type of activity represented by an integer." + }, + { + "name": "siteName", + "type": "string", + "description": "The name of the site associated with the event." + }, + { + "name": "accountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "osFamily", + "type": "string", + "description": "The operating system family, such as macOS." + }, + { + "name": "groupName", + "type": "string", + "description": "The name of the group associated with the event." + }, + { + "name": "comments", + "type": "string", + "description": "Any comments associated with the event." + } + ] + }, + "Custom-SentinelOneAgents_API": { + "columns": [ + { + "name": "uuid", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "mitigationMode", + "type": "string", + "description": "The mitigation mode applied." + }, + { + "name": "networkStatus", + "type": "string", + "description": "The network status of the object." + }, + { + "name": "installerType", + "type": "string", + "description": "The type of installer used." + }, + { + "name": "mitigationModeSuspicious", + "type": "string", + "description": "The suspicious mitigation mode applied." + }, + { + "name": "isPendingUninstall", + "type": "boolean", + "description": "Indicates whether the object is pending uninstallation." + }, + { + "name": "inRemoteShellSession", + "type": "boolean", + "description": "Indicates whether the object is in a remote shell session." + }, + { + "name": "lastLoggedInUserName", + "type": "string", + "description": "The username of the last logged-in user." + }, + { + "name": "osRevision", + "type": "string", + "description": "The OS revision." + }, + { + "name": "osArch", + "type": "string", + "description": "The OS architecture." + }, + { + "name": "id", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "computerName", + "type": "string", + "description": "The name of the computer." + }, + { + "name": "totalMemory", + "type": "real", + "description": "The total memory available in MB." + }, + { + "name": "createdAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was created." + }, + { + "name": "groupId", + "type": "string", + "description": "The unique identifier for the group." + }, + { + "name": "lastActiveDate", + "type": "string", + "description": "The timestamp (UTC) when the object was last active." + }, + { + "name": "fullDiskScanLastUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the full disk scan was last updated." + }, + { + "name": "allowRemoteShell", + "type": "boolean", + "description": "Indicates whether remote shell is allowed." + }, + { + "name": "rangerVersion", + "type": "string", + "description": "The version of the ranger." + }, + { + "name": "accountName", + "type": "string", + "description": "The account name." + }, + { + "name": "scanStatus", + "type": "string", + "description": "The scan status of the object." + }, + { + "name": "domain", + "type": "string", + "description": "The domain of the object." + }, + { + "name": "missingPermissions", + "type": "string", + "description": "Details of the missing permissions." + }, + { + "name": "isActive", + "type": "boolean", + "description": "Indicates whether the object is active." + }, + { + "name": "groupIp", + "type": "string", + "description": "The IP address of the group." + }, + { + "name": "threatRebootRequired", + "type": "boolean", + "description": "Indicates whether a reboot is required due to a threat." + }, + { + "name": "groupUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the group was last updated." + }, + { + "name": "externalId", + "type": "string", + "description": "The external identifier associated with the object." + }, + { + "name": "machineType", + "type": "string", + "description": "The type of machine." + }, + { + "name": "registeredAt", + "type": "string", + "description": "The timestamp (UTC) when the object was registered." + }, + { + "name": "appsVulnerabilityStatus", + "type": "string", + "description": "The vulnerability status of the applications." + }, + { + "name": "coreCount", + "type": "real", + "description": "The number of CPU cores." + }, + { + "name": "locations", + "type": "string", + "description": "The locations associated with the object." + }, + { + "name": "scanFinishedAt", + "type": "string", + "description": "The timestamp (UTC) when the scan was finished." + }, + { + "name": "updatedAt", + "type": "string", + "description": "The timestamp (UTC) when the object was last updated." + }, + { + "name": "externalIp", + "type": "string", + "description": "The external IP address of the object." + }, + { + "name": "locationType", + "type": "string", + "description": "The type of location." + }, + { + "name": "policyUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the policy was last updated." + }, + { + "name": "isDecommissioned", + "type": "boolean", + "description": "Indicates whether the object is decommissioned." + }, + { + "name": "cpuId", + "type": "string", + "description": "The identifier of the CPU." + }, + { + "name": "networkInterfaces", + "type": "string", + "description": "Details of the network interfaces." + }, + { + "name": "isUninstalled", + "type": "boolean", + "description": "Indicates whether the object is uninstalled." + }, + { + "name": "activeDirectory", + "type": "string", + "description": "Details about the active directory." + }, + { + "name": "scanStartedAt", + "type": "string", + "description": "The timestamp (UTC) when the scan was started." + }, + { + "name": "rangerStatus", + "type": "string", + "description": "The status of the ranger." + }, + { + "name": "siteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "agentVersion", + "type": "string", + "description": "The version of the agent." + }, + { + "name": "osUsername", + "type": "string", + "description": "The username associated with the operating system." + }, + { + "name": "encryptedApplications", + "type": "boolean", + "description": "Indicates whether the applications are encrypted." + }, + { + "name": "lastIpToMgmt", + "type": "string", + "description": "The last IP address used for management." + }, + { + "name": "cpuCount", + "type": "real", + "description": "The number of CPUs." + }, + { + "name": "scanAbortedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the scan was aborted." + }, + { + "name": "siteName", + "type": "string", + "description": "The name of the site." + }, + { + "name": "activeThreats", + "type": "real", + "description": "The number of active threats." + }, + { + "name": "infected", + "type": "boolean", + "description": "Indicates whether the object is infected." + }, + { + "name": "consoleMigrationStatus", + "type": "string", + "description": "The status of the console migration." + }, + { + "name": "osType", + "type": "string", + "description": "The type of operating system." + }, + { + "name": "accountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "groupName", + "type": "string", + "description": "The name of the group." + }, + { + "name": "osName", + "type": "string", + "description": "The name of the operating system." + }, + { + "name": "isUpToDate", + "type": "boolean", + "description": "Indicates whether the object is up to date." + }, + { + "name": "licenseKey", + "type": "string", + "description": "The license key associated with the object." + }, + { + "name": "userActionsNeeded", + "type": "string", + "description": "Details of the user actions needed." + }, + { + "name": "modelName", + "type": "string", + "description": "The model name of the object." + }, + { + "name": "networkQuarantineEnabled", + "type": "boolean", + "description": "Is Network Quarantine Enabled on the device" + }, + { + "name": "operationalStateExpiration", + "type": "string", + "description": "Agent operational state." + }, + { + "name": "remoteProfilingState", + "type": "string", + "description": "Agent remote profiling state." + }, + { + "name": "osStartTime", + "type": "string", + "description": "The Start time of the os." + } + ] + }, + "Custom-SentinelOneAlerts_API": { + "columns": [ + { + "name": "sourceProcessInfo", + "type": "string", + "description": "Information about the source process." + }, + { + "name": "alertInfo", + "type": "string", + "description": "Details about the alert." + }, + { + "name": "agentDetectionInfo", + "type": "string", + "description": "Detection information related to the agent." + }, + { + "name": "ruleInfo", + "type": "string", + "description": "Information regarding the applied rule." + }, + { + "name": "containerInfo", + "type": "string", + "description": "Information about the container." + }, + { + "name": "sourceParentProcessInfo", + "type": "string", + "description": "Information about the parent process of the source." + }, + { + "name": "targetProcessInfo", + "type": "string", + "description": "Details regarding the target process." + }, + { + "name": "kubernetesInfo", + "type": "string", + "description": "Kubernetes-related information." + } + ] + }, + "Custom-SentinelOneGroups_API": { + "columns": [ + { + "name": "creator", + "type": "string", + "description": "The name of the creator." + }, + { + "name": "registrationToken", + "type": "string", + "description": "The token used for registration." + }, + { + "name": "isDefault", + "type": "boolean", + "description": "Indicates whether this is the default setting." + }, + { + "name": "updatedAt", + "type": "string", + "description": "The timestamp (UTC) when the object was last updated." + }, + { + "name": "totalAgents", + "type": "real", + "description": "The total number of agents." + }, + { + "name": "inherits", + "type": "boolean", + "description": "Indicates whether the object inherits properties." + }, + { + "name": "name", + "type": "string", + "description": "The name of the object." + }, + { + "name": "rank", + "type": "real", + "description": "The rank of the object." + }, + { + "name": "filterName", + "type": "string", + "description": "The name of the filter applied." + }, + { + "name": "type", + "type": "string", + "description": "The type of the object." + }, + { + "name": "id", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "createdAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was created." + }, + { + "name": "creatorId", + "type": "string", + "description": "The unique identifier of the creator." + }, + { + "name": "siteId", + "type": "string", + "description": "The unique identifier of the site." + }, + { + "name": "filterId", + "type": "string", + "description": "The unique identifier of the filter." + } + ] + }, + "Custom-SentinelOneThreats_API": { + "columns": [ + { + "name": "threatInfo", + "type": "string", + "description": "The information regarding the threat." + }, + { + "name": "agentDetectionInfo", + "type": "string", + "description": "The information of the agent on detectino." + }, + { + "name": "agentRealtimeInfo", + "type": "string", + "description": "The information of the agent in real time." + }, + { + "name": "indicators", + "type": "string", + "description": "Details of the indicators." + }, + { + "name": "whiteningOptions", + "type": "string", + "description": "Details of the whitening options." + }, + { + "name": "id", + "type": "string", + "description": "Event Id." + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-SentinelOneActivities_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = createdAt, AgentUpdatedVersion = agentUpdatedVersion, UserId = userId, ThreatId = threatId, PrimaryDescription = primaryDescription, SecondaryDescription = secondaryDescription, Id = id, GroupId = groupId, CreatedAt = createdAt, AccountName = accountName, Data = data, AgentId = agentId, Hash = hash, UpdatedAt = todatetime(updatedAt), Description = description, ActivityUuid = activityUuid, SiteId = siteId, ActivityType = activityType, SiteName = siteName, AccountId = accountId, OsFamily = osFamily, GroupName = groupName, Comments = comments", + "outputStream": "Custom-SentinelOneActivities_CL" + }, + { + "streams": [ + "Custom-SentinelOneAgents_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = createdAt, Uuid = uuid, MitigationMode = mitigationMode, NetworkStatus = networkStatus, InstallerType = installerType, MitigationModeSuspicious = mitigationModeSuspicious, IsPendingUninstall = isPendingUninstall, InRemoteShellSession = inRemoteShellSession, LastLoggedInUserName = lastLoggedInUserName, OsRevision = osRevision, OsArch = osArch, Id = id, ComputerName = computerName, TotalMemory = totalMemory, CreatedAt = createdAt, GroupId = groupId, LastActiveDate = todatetime(lastActiveDate), FullDiskScanLastUpdatedAt = fullDiskScanLastUpdatedAt, AllowRemoteShell = allowRemoteShell, RangerVersion = rangerVersion, AccountName = accountName, ScanStatus = scanStatus, Domain = domain, MissingPermissions = missingPermissions, IsActive = isActive, GroupIp = groupIp, ThreatRebootRequired = threatRebootRequired, GroupUpdatedAt = groupUpdatedAt, ExternalId = externalId, MachineType = machineType, RegisteredAt = todatetime(registeredAt), AppsVulnerabilityStatus = appsVulnerabilityStatus, CoreCount = coreCount, Locations = locations, ScanFinishedAt = todatetime(scanFinishedAt), UpdatedAt = todatetime(updatedAt), ExternalIp = externalIp, LocationType = locationType, PolicyUpdatedAt = policyUpdatedAt, IsDecommissioned = isDecommissioned, CpuId = cpuId, NetworkInterfaces = networkInterfaces, IsUninstalled = isUninstalled, ActiveDirectory = activeDirectory, ScanStartedAt = todatetime(scanStartedAt), RangerStatus = rangerStatus, SiteId = siteId, AgentVersion = agentVersion, OsUsername = osUsername, EncryptedApplications = encryptedApplications, LastIpToMgmt = lastIpToMgmt, CpuCount = cpuCount, ScanAbortedAt = scanAbortedAt, SiteName = siteName, ActiveThreats = activeThreats, Infected = infected, ConsoleMigrationStatus = consoleMigrationStatus, OsType = osType, AccountId = accountId, GroupName = groupName, OsName = osName, IsUpToDate = isUpToDate, LicenseKey = licenseKey, UserActionsNeeded = userActionsNeeded, ModelName = modelName, OsStartTime = todatetime(osStartTime), NetworkQuarantineEnabled=networkQuarantineEnabled,OperationalStateExpiration=operationalStateExpiration,RemoteProfilingState=remoteProfilingState", + "outputStream": "Custom-SentinelOneAgents_CL" + }, + { + "streams": [ + "Custom-SentinelOneAlerts_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = todatetime(parse_json(todynamic(alertInfo)).createdAt), SourceProcessInfo = sourceProcessInfo, AlertInfo = alertInfo, AgentDetectionInfo = agentDetectionInfo, RuleInfo = ruleInfo, ContainerInfo = containerInfo, SourceParentProcessInfo = sourceParentProcessInfo, TargetProcessInfo = targetProcessInfo, KubernetesInfo = kubernetesInfo", + "outputStream": "Custom-SentinelOneAlerts_CL" + }, + { + "streams": [ + "Custom-SentinelOneGroups_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated = createdAt, Creator = creator, RegistrationToken = registrationToken, IsDefault = tostring(isDefault), UpdatedAt = todatetime(updatedAt), TotalAgents = tostring(totalAgents), Inherits = tostring(inherits), Name = name, Rank = rank, FilterName = filterName, GroupType = type, Id = id, CreatedAt = createdAt, CreatorId = creatorId, SiteId = siteId, FilterId = filterId", + "outputStream": "Custom-SentinelOneGroups_CL" + }, + { + "streams": [ + "Custom-SentinelOneThreats_API" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend ThreatInfo = parse_json(todynamic(threatInfo)), AgentDetectionInfo=parse_json(todynamic(agentDetectionInfo)), AgentRealtimeInfo=parse_json(todynamic(agentRealtimeInfo)) | project TimeGenerated = todatetime(ThreatInfo.createdAt), FilePath = tostring(ThreatInfo.filePath), CloudVerdict = tostring(ThreatInfo.cloudVerdict), MitigationMode = tostring(AgentDetectionInfo.mitigationMode), AgentOsType = tostring(AgentRealtimeInfo.agentOsType), AgentInfected = tobool(AgentRealtimeInfo.agentInfected), InitiatingUserId = tostring(ThreatInfo.initiatingUserId), Engines = tostring(ThreatInfo.engines), Id = id, FileExtensionType = tostring(ThreatInfo.fileExtensionType), MitigationStatus = tostring(ThreatInfo.mitigationStatus), AgentDomain = tostring(AgentDetectionInfo.agentDomain), CreatedAt = todatetime(ThreatInfo.createdAt), IsCertValid = tobool(ThreatInfo.isValidCertificate), FileDisplayName = tostring(ThreatInfo.filePath), AgentIp = tostring(AgentDetectionInfo.agentIpV4), AccountName = tostring(AgentRealtimeInfo.accountName), AgentMachineType = tostring(AgentRealtimeInfo.agentMachineType), FileVerificationType = tostring(ThreatInfo.fileVerificationType), Indicators = indicators, InitiatedByDescription = tostring(ThreatInfo.initiatedByDescription), AutomaticallyResolved = tobool(ThreatInfo.automaticallyResolved), AgentId = tostring(AgentRealtimeInfo.agentId), ProcessArguments = tostring(ThreatInfo.maliciousProcessArguments), MitigationReport = tostring(AgentDetectionInfo.mitigationReport), ThreatName = tostring(ThreatInfo.threatName), ClassificationSource = tostring(ThreatInfo.classificationSource), UpdatedAt = todatetime(ThreatInfo.updatedAt), InitiatedBy = tostring(ThreatInfo.initiatedBy), AgentNetworkStatus = tostring(AgentRealtimeInfo.agentNetworkStatus), AgentComputerName = tostring(AgentRealtimeInfo.agentComputerName), Classification = tostring(ThreatInfo.classification), CertId = tostring(ThreatInfo.certificateId), AgentIsActive = tobool(AgentRealtimeInfo.agentIsActive), SiteId = tostring(AgentDetectionInfo.siteId), AgentVersion = tostring(AgentDetectionInfo.agentVersion), FileContentHash = tostring(ThreatInfo.md5), WhiteningOptions = whiteningOptions,FileSha256 = tostring(ThreatInfo.sha256), Username = tostring(ThreatInfo.initiatingUsername), AgentIsDecommissioned = tobool(AgentDetectionInfo.agentIsDecommissioned), CollectionId = tostring(ThreatInfo.collectionId), SiteName = tostring(AgentDetectionInfo.siteName), AccountId = tostring(AgentDetectionInfo.accountId), ThreatInfo, AgentDetectionInfo, AgentRealtimeInfo", + "outputStream": "Custom-SentinelOneThreats_CL" + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } + }, + { + "name": "SentinelOneThreats_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "SentinelOneThreats_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "FilePath", + "type": "string", + "description": "The path of the file." + }, + { + "name": "CloudVerdict", + "type": "string", + "description": "The cloud verdict for the file." + }, + { + "name": "MitigationMode", + "type": "string", + "description": "The mode of mitigation applied." + }, + { + "name": "AgentOsType", + "type": "string", + "description": "The operating system type of the agent." + }, + { + "name": "AgentInfected", + "type": "boolean", + "description": "Indicates whether the agent is infected." + }, + { + "name": "InitiatingUserId", + "type": "string", + "description": "The unique identifier for the initiating user." + }, + { + "name": "Engines", + "type": "string", + "description": "Details of the engines used." + }, + { + "name": "Id", + "type": "string", + "description": "The unique identifier for the record." + }, + { + "name": "FileExtensionType", + "type": "string", + "description": "The type of file extension." + }, + { + "name": "MitigationStatus", + "type": "string", + "description": "The status of mitigation." + }, + { + "name": "AgentDomain", + "type": "string", + "description": "The domain of the agent." + }, + { + "name": "CreatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was created." + }, + { + "name": "IsCertValid", + "type": "boolean", + "description": "Indicates whether the certificate is valid." + }, + { + "name": "FileDisplayName", + "type": "string", + "description": "The display name of the file." + }, + { + "name": "AgentIp", + "type": "string", + "description": "The IP address of the agent." + }, + { + "name": "AccountName", + "type": "string", + "description": "The name of the account associated with the event." + }, + { + "name": "AgentMachineType", + "type": "string", + "description": "The machine type of the agent." + }, + { + "name": "FileVerificationType", + "type": "string", + "description": "The type of file verification." + }, + { + "name": "Indicators", + "type": "string", + "description": "Details of the indicators." + }, + { + "name": "InitiatedByDescription", + "type": "string", + "description": "Description of the initiated by field." + }, + { + "name": "AutomaticallyResolved", + "type": "boolean", + "description": "Indicates whether the issue was automatically resolved." + }, + { + "name": "AgentId", + "type": "string", + "description": "The unique identifier for the agent." + }, + { + "name": "ProcessArguments", + "type": "string", + "description": "The unique identifier for the malicious group." + }, + { + "name": "MitigationReport", + "type": "string", + "description": "Report of the actions taken by the Agent." + }, + { + "name": "ThreatName", + "type": "string", + "description": "Details about the threat name." + }, + { + "name": "ClassificationSource", + "type": "string", + "description": "The source of the classification." + }, + { + "name": "UpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was last updated." + }, + { + "name": "InitiatedBy", + "type": "string", + "description": "Indicates by whom or what the action was initiated." + }, + { + "name": "AgentNetworkStatus", + "type": "string", + "description": "The network status of the agent." + }, + { + "name": "AgentComputerName", + "type": "string", + "description": "The computer name of the agent." + }, + { + "name": "Classification", + "type": "string", + "description": "The classification of the event." + }, + { + "name": "CertId", + "type": "string", + "description": "The certificate ID." + }, + { + "name": "AgentIsActive", + "type": "boolean", + "description": "Indicates whether the agent is active." + }, + { + "name": "SiteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "AgentVersion", + "type": "string", + "description": "The version of the agent." + }, + { + "name": "FileContentHash", + "type": "string", + "description": "The hash of the file content." + }, + { + "name": "WhiteningOptions", + "type": "string", + "description": "Details of the whitening options." + }, + { + "name": "Username", + "type": "string", + "description": "The username associated with the event." + }, + { + "name": "FileSha256", + "type": "string", + "description": "The SHA-256 hash of the file." + }, + { + "name": "AgentIsDecommissioned", + "type": "boolean", + "description": "Indicates whether the agent is decommissioned." + }, + { + "name": "CollectionId", + "type": "string", + "description": "The unique identifier for the collection." + }, + { + "name": "SiteName", + "type": "string", + "description": "The name of the site." + }, + { + "name": "AccountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "ThreatInfo", + "type": "dynamic", + "description": "The information about the threat." + }, + { + "name": "AgentDetectionInfo", + "type": "dynamic", + "description": "The information of the agent in detection." + }, + { + "name": "AgentRealtimeInfo", + "type": "dynamic", + "description": "The information of the agent in realtime." + } + ] + } + } + }, + { + "name": "SentinelOneActivities_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "SentinelOneActivities_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "AgentUpdatedVersion", + "type": "string", + "description": "The version of the agent that was updated." + }, + { + "name": "UserId", + "type": "string", + "description": "The unique identifier for the user." + }, + { + "name": "ThreatId", + "type": "string", + "description": "The unique identifier for the threat." + }, + { + "name": "PrimaryDescription", + "type": "string", + "description": "The primary description of the event." + }, + { + "name": "SecondaryDescription", + "type": "string", + "description": "The secondary description of the event." + }, + { + "name": "Id", + "type": "string", + "description": "The unique identifier for the record." + }, + { + "name": "GroupId", + "type": "string", + "description": "The unique identifier for the group." + }, + { + "name": "CreatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was created." + }, + { + "name": "AccountName", + "type": "string", + "description": "The name of the account associated with the event." + }, + { + "name": "Data", + "type": "string", + "description": "Activity metadata." + }, + { + "name": "AgentId", + "type": "string", + "description": "The unique identifier for the agent." + }, + { + "name": "Hash", + "type": "string", + "description": "The hash associated with the event." + }, + { + "name": "UpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the record was last updated." + }, + { + "name": "Description", + "type": "string", + "description": "The description of the event." + }, + { + "name": "ActivityUuid", + "type": "string", + "description": "The UUID of the activity associated with the event." + }, + { + "name": "SiteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "ActivityType", + "type": "real", + "description": "The type of activity represented by an integer." + }, + { + "name": "SiteName", + "type": "string", + "description": "The name of the site associated with the event." + }, + { + "name": "AccountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "OsFamily", + "type": "string", + "description": "The operating system family, such as macOS." + }, + { + "name": "GroupName", + "type": "string", + "description": "The name of the group associated with the event." + }, + { + "name": "Comments", + "type": "string", + "description": "Any comments associated with the event." + } + ] + } + } + }, + { + "name": "SentinelOneAgents_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "SentinelOneAgents_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "Uuid", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "MitigationMode", + "type": "string", + "description": "The mitigation mode applied." + }, + { + "name": "NetworkStatus", + "type": "string", + "description": "The network status of the object." + }, + { + "name": "InstallerType", + "type": "string", + "description": "The type of installer used." + }, + { + "name": "MitigationModeSuspicious", + "type": "string", + "description": "The suspicious mitigation mode applied." + }, + { + "name": "IsPendingUninstall", + "type": "boolean", + "description": "Indicates whether the object is pending uninstallation." + }, + { + "name": "InRemoteShellSession", + "type": "boolean", + "description": "Indicates whether the object is in a remote shell session." + }, + { + "name": "LastLoggedInUserName", + "type": "string", + "description": "The username of the last logged-in user." + }, + { + "name": "OsRevision", + "type": "string", + "description": "The OS revision." + }, + { + "name": "OsArch", + "type": "string", + "description": "The OS architecture." + }, + { + "name": "Id", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "ComputerName", + "type": "string", + "description": "The name of the computer." + }, + { + "name": "TotalMemory", + "type": "real", + "description": "The total memory available in MB." + }, + { + "name": "CreatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was created." + }, + { + "name": "GroupId", + "type": "string", + "description": "The unique identifier for the group." + }, + { + "name": "LastActiveDate", + "type": "datetime", + "description": "The timestamp (UTC) when the object was last active." + }, + { + "name": "FullDiskScanLastUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the full disk scan was last updated." + }, + { + "name": "AllowRemoteShell", + "type": "boolean", + "description": "Indicates whether remote shell is allowed." + }, + { + "name": "RangerVersion", + "type": "string", + "description": "The version of the ranger." + }, + { + "name": "AccountName", + "type": "string", + "description": "The account name." + }, + { + "name": "ScanStatus", + "type": "string", + "description": "The scan status of the object." + }, + { + "name": "Domain", + "type": "string", + "description": "The domain of the object." + }, + { + "name": "MissingPermissions", + "type": "string", + "description": "Details of the missing permissions." + }, + { + "name": "IsActive", + "type": "boolean", + "description": "Indicates whether the object is active." + }, + { + "name": "GroupIp", + "type": "string", + "description": "The IP address of the group." + }, + { + "name": "ThreatRebootRequired", + "type": "boolean", + "description": "Indicates whether a reboot is required due to a threat." + }, + { + "name": "GroupUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the group was last updated." + }, + { + "name": "ExternalId", + "type": "string", + "description": "The external identifier associated with the object." + }, + { + "name": "MachineType", + "type": "string", + "description": "The type of machine." + }, + { + "name": "RegisteredAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was registered." + }, + { + "name": "AppsVulnerabilityStatus", + "type": "string", + "description": "The vulnerability status of the applications." + }, + { + "name": "CoreCount", + "type": "real", + "description": "The number of CPU cores." + }, + { + "name": "Locations", + "type": "string", + "description": "The locations associated with the object." + }, + { + "name": "ScanFinishedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the scan was finished." + }, + { + "name": "UpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was last updated." + }, + { + "name": "ExternalIp", + "type": "string", + "description": "The external IP address of the object." + }, + { + "name": "LocationType", + "type": "string", + "description": "The type of location." + }, + { + "name": "PolicyUpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the policy was last updated." + }, + { + "name": "IsDecommissioned", + "type": "boolean", + "description": "Indicates whether the object is decommissioned." + }, + { + "name": "CpuId", + "type": "string", + "description": "The identifier of the CPU." + }, + { + "name": "NetworkInterfaces", + "type": "string", + "description": "Details of the network interfaces." + }, + { + "name": "IsUninstalled", + "type": "boolean", + "description": "Indicates whether the object is uninstalled." + }, + { + "name": "ActiveDirectory", + "type": "string", + "description": "Details about the active directory." + }, + { + "name": "ScanStartedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the scan was started." + }, + { + "name": "RangerStatus", + "type": "string", + "description": "The status of the ranger." + }, + { + "name": "SiteId", + "type": "string", + "description": "The unique identifier for the site." + }, + { + "name": "AgentVersion", + "type": "string", + "description": "The version of the agent." + }, + { + "name": "OsUsername", + "type": "string", + "description": "The username associated with the operating system." + }, + { + "name": "EncryptedApplications", + "type": "boolean", + "description": "Indicates whether the applications are encrypted." + }, + { + "name": "LastIpToMgmt", + "type": "string", + "description": "The last IP address used for management." + }, + { + "name": "CpuCount", + "type": "real", + "description": "The number of CPUs." + }, + { + "name": "ScanAbortedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the scan was aborted." + }, + { + "name": "SiteName", + "type": "string", + "description": "The name of the site." + }, + { + "name": "ActiveThreats", + "type": "real", + "description": "The number of active threats." + }, + { + "name": "Infected", + "type": "boolean", + "description": "Indicates whether the object is infected." + }, + { + "name": "ConsoleMigrationStatus", + "type": "string", + "description": "The status of the console migration." + }, + { + "name": "OsType", + "type": "string", + "description": "The type of operating system." + }, + { + "name": "AccountId", + "type": "string", + "description": "The unique identifier for the account." + }, + { + "name": "GroupName", + "type": "string", + "description": "The name of the group." + }, + { + "name": "OsName", + "type": "string", + "description": "The name of the operating system." + }, + { + "name": "IsUpToDate", + "type": "boolean", + "description": "Indicates whether the object is up to date." + }, + { + "name": "LicenseKey", + "type": "string", + "description": "The license key associated with the object." + }, + { + "name": "UserActionsNeeded", + "type": "string", + "description": "Details of the user actions needed." + }, + { + "name": "ModelName", + "type": "string", + "description": "The model name of the object." + }, + { + "name": "OsStartTime", + "type": "datetime", + "description": "The timestamp (UTC) when the operating system started." + }, + { + "name": "NetworkQuarantineEnabled", + "type": "boolean", + "description": "Is Network Quarantine Enabled on the device." + }, + { + "name": "OperationalStateExpiration", + "type": "string", + "description": "Agent operational state." + }, + { + "name": "RemoteProfilingState", + "type": "string", + "description": "Agent remote profiling state." + } + ] + } + } + }, + { + "name": "SentinelOneAlerts_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "SentinelOneAlerts_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "SourceProcessInfo", + "type": "string", + "description": "Information about the source process." + }, + { + "name": "AlertInfo", + "type": "string", + "description": "Details about the alert." + }, + { + "name": "AgentDetectionInfo", + "type": "string", + "description": "Detection information related to the agent." + }, + { + "name": "RuleInfo", + "type": "string", + "description": "Information regarding the applied rule." + }, + { + "name": "ContainerInfo", + "type": "string", + "description": "Information about the container." + }, + { + "name": "SourceParentProcessInfo", + "type": "string", + "description": "Information about the parent process of the source." + }, + { + "name": "TargetProcessInfo", + "type": "string", + "description": "Details regarding the target process." + }, + { + "name": "KubernetesInfo", + "type": "string", + "description": "Kubernetes-related information." + } + ] + } + } + }, + { + "name": "SentinelOneGroups_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "SentinelOneGroups_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "Creator", + "type": "string", + "description": "The name of the creator." + }, + { + "name": "RegistrationToken", + "type": "string", + "description": "The token used for registration." + }, + { + "name": "IsDefault", + "type": "string", + "description": "Indicates whether this is the default setting." + }, + { + "name": "UpdatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was last updated." + }, + { + "name": "TotalAgents", + "type": "string", + "description": "The total number of agents." + }, + { + "name": "Inherits", + "type": "string", + "description": "Indicates whether the object inherits properties." + }, + { + "name": "Name", + "type": "string", + "description": "The name of the object." + }, + { + "name": "Rank", + "type": "real", + "description": "The rank of the object." + }, + { + "name": "FilterName", + "type": "string", + "description": "The name of the filter applied." + }, + { + "name": "GroupType", + "type": "string", + "description": "The type of the object." + }, + { + "name": "Id", + "type": "string", + "description": "The unique identifier for the object." + }, + { + "name": "CreatedAt", + "type": "datetime", + "description": "The timestamp (UTC) when the object was created." + }, + { + "name": "CreatorId", + "type": "string", + "description": "The unique identifier of the creator." + }, + { + "name": "SiteId", + "type": "string", + "description": "The unique identifier of the site." + }, + { + "name": "FilterId", + "type": "string", + "description": "The unique identifier of the filter." + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "SentinelOne", + "title": "SentinelOne", + "publisher": "Microsoft", + "descriptionMarkdown": "The [SentinelOne](https://usea1-nessat.sentinelone.net/api-doc/overview) data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the SentinelOne API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueries": [ + { + "metricName": "Total activities logs received", + "legend": "SentinelOne Activities Logs", + "baseQuery": "SentinelOneActivities_CL" + }, + { + "metricName": "Total agents logs received", + "legend": "SentinelOne Agents Logs", + "baseQuery": "SentinelOneAgents_CL" + }, + { + "metricName": "Total groups logs received", + "legend": "SentinelOne Groups Logs", + "baseQuery": "SentinelOneGroups_CL" + }, + { + "metricName": "Total threats logs received", + "legend": "SentinelOne Threats Logs", + "baseQuery": "SentinelOneThreats_CL" + }, { - "metricName": "Total data received", - "legend": "SentinelOne_CL", - "baseQuery": "SentinelOne_CL" + "metricName": "Total alerts logs received", + "legend": "SentinelOne Alerts Logs", + "baseQuery": "SentinelOneAlerts_CL" } ], - "dataTypes": [ + "sampleQueries": [ + { + "description": "Get Sample of SentinelOne activities logs", + "query": "SentinelOneActivities_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne groups logs", + "query": "SentinelOneGroups_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne threats logs", + "query": "SentinelOneThreats_CL| take 10" + }, + { + "description": "Get Sample of SentinelOne agents logs", + "query": "SentinelOneAgents_CL| take 10" + }, { - "name": "SentinelOne_CL", - "lastDataReceivedQuery": "SentinelOne_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "description": "Get Sample of SentinelOne alerts logs", + "query": "SentinelOneAlerts_CL| take 10" } ], - "connectivityCriterias": [ + "dataTypes": [ + { + "name": "SentinelOneActivities_CL", + "lastDataReceivedQuery": "SentinelOneActivities_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneAgents_CL", + "lastDataReceivedQuery": "SentinelOneAgents_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneGroups_CL", + "lastDataReceivedQuery": "SentinelOneGroups_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, { - "type": "IsConnectedQuery", - "value": [ - "SentinelOne_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] + "name": "SentinelOneThreats_CL", + "lastDataReceivedQuery": "SentinelOneThreats_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "SentinelOneAlerts_CL", + "lastDataReceivedQuery": "SentinelOneAlerts_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], - "sampleQueries": [ + "connectivityCriteria": [ { - "description": "SentinelOne Events - All Activities.", - "query": "SentinelOne\n | sort by TimeGenerated desc" + "type": "HasDataConnectors", + "value": null } ], "availability": { @@ -462,96 +2113,551 @@ "isPreview": false }, "permissions": { + "tenant": null, + "licenses": null, "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", + "permissionsDisplayText": "Read and Write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { - "write": true, "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true + "write": true, + "delete": true, + "action": false } } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "**SentinelOneAPIToken** is required. See the documentation to learn more about API on the `https://.sentinelone.net/api-doc/overview`." - } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the SentinelOne API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### Configuration steps for the SentinelOne API \n Follow the instructions to obtain the credentials. You can also follow the [guide](https://usea1-nessat.sentinelone.net/docs/en/how-to-automate-api-token-generation.html#how-to-automate-api-token-generation) to generate API key." + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 1. Retrieve SentinelOne Management URL\n 1.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**] copy the URL link above without the URL path." + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Retrieve API Token\n 2.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**]\n 2.3. In [**Settings**] view click on [**USERS**].\n 2.4. In the [**USERS**] Page click on [**Service Users**] -> [**Actions**] -> [**Create new service user**].\n 2.5. Choose [**Expiration date**] and [**scope**] (by site) and click on [**Create User**].\n 2.6. Once the [**Service User**] is created copy the [**API Token**] from page and press [**Save**]" + } + }, + { + "parameters": { + "label": "SentinelOne Management URL", + "placeholder": "https://example.sentinelone.net/", + "type": "text", + "name": "managementUrl" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "API Token", + "placeholder": "API Token", + "type": "password", + "name": "apitoken" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "innerSteps": null + } + ], + "isConnectivityCriteriasMatchSome": false + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "SentinelOne", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "SentinelOne", + "type": "string", + "minLength": 1 }, - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Parsers/SentinelOne.txt). The function usually takes 10-15 minutes to activate after solution installation/update." + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" }, + "managementUrl": { + "defaultValue": "managementUrl", + "type": "string", + "minLength": 1 + }, + "apitoken": { + "defaultValue": "apitoken", + "type": "string", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" + }, + "resources": [ { - "description": "**STEP 1 - Configuration steps for the SentinelOne API**\n\n Follow the instructions to obtain the credentials.\n\n1. Log in to the SentinelOne Management Console with Admin user credentials.\n2. In the Management Console, click **Settings**.\n3. In the **SETTINGS** view, click **USERS**\n4. Click **New User**.\n5. Enter the information for the new console user.\n5. In Role, select **Admin**.\n6. Click **SAVE**\n7. Save credentials of the new user for using in the data connector." + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } }, { - "description": "**NOTE :-** Admin access can be delegated using custom roles. Please review SentinelOne [documentation](https://www.sentinelone.com/blog/feature-spotlight-fully-custom-role-based-access-control/) to learn more about custom RBAC." + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_activities_created_events')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneActivities_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'activities')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "createdAt__gt": "{_QueryWindowStartTime}", + "createdAt__lt": "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "1000", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ] + } + } }, { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the SentinelOne data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_agents_created_events')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneAgents_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'agents')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "createdAt__gt": "{_QueryWindowStartTime}", + "createdAt__lt": "{_QueryWindowEndTime}" }, - "type": "CopyableLabel" + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" + "paging": { + "pagingType": "NextPageToken", + "PageSize": "1000", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_agents_updated_events')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneAgents_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'agents')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "updatedAt__gt": "{_QueryWindowStartTime}", + "updatedAt__lt": "{_QueryWindowEndTime}" }, - "type": "CopyableLabel" + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "200", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ] } - ] + } }, { - "description": "Use this method for automated deployment of the SentinelOne Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **SentinelOneAPIToken**, **SentinelOneUrl** `(https://.sentinelone.net)` and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_alerts_created_events')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneAlerts_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'cloud-detection/alerts')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "createdAt__gt": "{_QueryWindowStartTime}", + "createdAt__lt": "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "1000", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ] + } + } }, { - "description": "Use the following step-by-step instructions to deploy the SentinelOne Reports data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_groups_updated_events')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneGroups_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'groups')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "updatedAt__gt": "{_QueryWindowStartTime}", + "updatedAt__lt": "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "200", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ] + } + } }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SentinelOneAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SOneXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_threats_created_events')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneThreats_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'threats')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "createdAt__gt": "{_QueryWindowStartTime}", + "createdAt__lt": "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "1000", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ] + } + } }, { - "description": "**2. Configure the Function App**\n\n 1. In the Function App, select the Function App Name and select **Configuration**.\n\n 2. In the **Application settings** tab, select ** New application setting**.\n\n 3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\t SentinelOneAPIToken\n\t\t SentinelOneUrl\n\t\t WorkspaceID\n\t\t WorkspaceKey\n\t\t logAnalyticsUri (optional)\n\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n\n 4. Once all application settings have been entered, click **Save**." + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SentinelOnePoller_threats_updated_events')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SentinelOne", + "dcrConfig": { + "streamName": "Custom-SentinelOneThreats_API", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "SentinelOne API", + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apitoken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "ApiToken" + }, + "request": { + "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'threats')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "updatedAt__gt": "{_QueryWindowStartTime}", + "updatedAt__lt": "{_QueryWindowEndTime}" + }, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "paging": { + "pagingType": "NextPageToken", + "PageSize": "200", + "PageSizeParameterName": "limit", + "NextPageTokenJsonPath": "$.pagination.nextCursor", + "NextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ] + } + } } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" } }, { @@ -563,7 +2669,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOne Workbook with template version 3.0.2", + "description": "SentinelOne Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -651,7 +2757,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOne Data Parser with template version 3.0.2", + "description": "SentinelOne Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -668,7 +2774,7 @@ "displayName": "Parser for SentinelOne", "category": "Microsoft Sentinel Parser", "functionAlias": "SentinelOne", - "query": "let SentinelOne_view = view () { \n SentinelOne_CL\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=column_ifexists('activityType_d', ''),\n EventCreationTime=column_ifexists('createdAt_t', ''),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats,\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount,\n CpuCount,\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate,\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt,\n RemoteProfilingState,\n ScanFinishedAt,\n ScanStartedAt,\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory,\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n RegistrationToken,\n TotalAgents,\n Type\n};\nSentinelOne_view\n", + "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -718,8 +2824,8 @@ "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "Parser for SentinelOne", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", "version": "[variables('parserObject1').parserVersion1]" } }, @@ -733,7 +2839,7 @@ "displayName": "Parser for SentinelOne", "category": "Microsoft Sentinel Parser", "functionAlias": "SentinelOne", - "query": "let SentinelOne_view = view () { \n SentinelOne_CL\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=column_ifexists('activityType_d', ''),\n EventCreationTime=column_ifexists('createdAt_t', ''),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats,\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount,\n CpuCount,\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate,\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt,\n RemoteProfilingState,\n ScanFinishedAt,\n ScanStartedAt,\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory,\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n RegistrationToken,\n TotalAgents,\n Type\n};\nSentinelOne_view\n", + "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -783,7 +2889,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAdminLoginNewIP_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneAdminLoginNewIP_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -811,10 +2917,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -897,7 +3003,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAgentUninstalled_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneAgentUninstalled_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -925,10 +3031,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1001,7 +3107,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAlertFromCustomRule_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneAlertFromCustomRule_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1029,10 +3135,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1105,7 +3211,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneBlacklistHashDeleted_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneBlacklistHashDeleted_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1133,10 +3239,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1222,7 +3328,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneExclusionAdded_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneExclusionAdded_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1250,10 +3356,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1326,7 +3432,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneMultipleAlertsOnHost_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneMultipleAlertsOnHost_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1354,10 +3460,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1430,7 +3536,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1458,10 +3564,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1534,7 +3640,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1562,10 +3668,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1638,7 +3744,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneRuleDisabled_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneRuleDisabled_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1666,10 +3772,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1742,7 +3848,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneSameCustomRuleHitOnDiffHosts_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneSameCustomRuleHitOnDiffHosts_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1770,10 +3876,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1848,7 +3954,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneViewAgentPassphrase_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "SentinelOneViewAgentPassphrase_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -1876,10 +3982,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ] + ], + "connectorId": "SentinelOne" } ], "tactics": [ @@ -1961,7 +4067,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAgentNotUpdated_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneAgentNotUpdated_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2046,7 +4152,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAgentStatus_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneAgentStatus_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2131,7 +4237,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAlertTriggers_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneAlertTriggers_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2216,7 +4322,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneHostNotScanned_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneHostNotScanned_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2301,7 +4407,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneNewRules_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneNewRules_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2386,7 +4492,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneRulesDeleted_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneRulesDeleted_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2471,7 +4577,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneScannedHosts_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneScannedHosts_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2556,7 +4662,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneSourcesByAlertCount_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneSourcesByAlertCount_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2641,7 +4747,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneUninstalledAgents_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneUninstalledAgents_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2726,7 +4832,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneUsersByAlertCount_HuntingQueries Hunting Query with template version 3.0.2", + "description": "SentinelOneUsersByAlertCount_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -2807,7 +4913,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "SentinelOne", @@ -2839,8 +4945,8 @@ "criteria": [ { "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "version": "[variables('dataConnectorCCPVersion')]" }, { "kind": "Workbook", diff --git a/Solutions/SentinelOne/Package/testParameters.json b/Solutions/SentinelOne/Package/testParameters.json index 34572c463ed..210e9a11ceb 100644 --- a/Solutions/SentinelOne/Package/testParameters.json +++ b/Solutions/SentinelOne/Package/testParameters.json @@ -21,6 +21,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "workbook1-name": { "type": "string", "defaultValue": "SentinelOneWorkbook", diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 9021869c431..3f18edb09e1 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -1,279 +1,639 @@ id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 Function: Title: Parser for SentinelOne - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2024-11-25' Category: Microsoft Sentinel Parser FunctionName: SentinelOne FunctionAlias: SentinelOne FunctionQuery: | let SentinelOne_view = view () { - SentinelOne_CL - | extend + let SentinelOneV2_Empty = datatable( + AccountId:string, + AccountName:string, + ActivityType:real , + EventCreationTime:datetime, + DataAccountName:string, + DataFullScopeDetails:string, + DataScopeLevel:string, + DataScopeName:string, + DataSiteId:int, + SecondaryDescription:string , + DataSiteName:string, + SourceProcessInfo:string, + SrcUserName:string, + EventId:string, + EventOriginalMessage:string, + SiteId:string, + SiteName:string, + UpdatedAt:datetime , + UserIdentity:string, + EventType:string, + DataByUser:string, + DataRole:string, + DataUserScope:string, + EventTypeDetailed:string, + DataSource:string, + DataExpiryDateStr:string, + DataExpiryTime:int, + DataNetworkquarantine:bool, + DataRuleCreationTime:int, + DataRuleDescription:string, + DataRuleExpirationMode:string, + DataRuleId:int, + DataRuleName:string, + DataRuleQueryDetails:string, + DataRuleQueryType:string, + DataRuleSeverity:string, + DataScopeId:int, + DataStatus:string, + DataSystemUser:int, + DataTreatasthreat:string, + DataUserId:int, + RuleInfo:string, + DataUserName:string, + EventSubStatus:string, + AgentId:string, + DataComputerName:string, + DataExternalIp:string, + DataGroupName:string, + DataSystem:bool, + DataUuid:string, + GroupId:string, + GroupName:string, + DataGroup:string, + UserId:string , + DataOptionalGroups:string, + DataCreatedAt:string, + DataDownloadUrl:string, + DataFilePath:string, + DataFilename:string, + DataUploadedFilename:string, + Comments:string, + DataNewValue:string, + DataPolicyId:string, + DataPolicyName:string, + DataNewValueb:string, + DataShouldReboot:bool, + DataRoleName:string, + DataScopeLevelName:string, + ActiveDirectoryComputerDistinguishedName:string, + ActiveDirectoryComputerMemberOf:string, + ActiveDirectoryLastUserDistinguishedName:string, + ActiveDirectoryLastUserMemberOf:string, + ActiveThreats:int, + AgentVersion:string, + AllowRemoteShell:bool, + AppsVulnerabilityStatus:string, + ComputerName:string, + ConsoleMigrationStatus:string, + CoreCount:int, + CpuCount:int, + CpuId:string, + SrcDvcDomain:string, + EncryptedApplications:bool, + ExternalId:string, + ExternalIp:string, + FirewallEnabled:bool, + GroupIp:string, + InRemoteShellSession:bool, + Infected:bool, + InstallerType:string, + IsActive:bool, + IsDecommissioned:bool, + IsPendingUninstall:bool, + IsUninstalled:bool, + IsUpToDate:bool, + LastActiveDate:string, + TargetProcessInfo:string , + LastIpToMgmt:string, + LastLoggedInUserName:string, + LicenseKey:string, + LocationEnabled:bool, + LocationType:string, + Locations:string, + MachineType:string, + MitigationMode:string, + MitigationModeSuspicious:string, + SrcDvcModelName:string, + NetworkInterfaces:string, + NetworkQuarantineEnabled:bool, + NetworkStatus:string, + OperationalState:string, + OsArch:string, + SrcDvcOs:string, + OsRevision:string, + OsStartTime:datetime , + OsType:string, + RangerStatus:string, + RangerVersion:string, + RegisteredAt:string, + RemoteProfilingState:string, + ScanFinishedAt:string, + ScanStartedAt:string, + ScanStatus:string, + ThreatRebootRequired:bool, + TotalMemory:int, + SourceParentProcessInfo:string , + UserActionsNeeded:string, + Uuid:string, + Creator:string, + ContainerInfo:string, + CreatorId:string, + Inherits:string , + IsDefault:string , + Name:string, + RegistrationToken:string, + AlertInfo:string, + PrimaryDescription:string , + TotalAgents:real , + CreatedAt:datetime , + Id:string, + Type:string + )[]; + let SentinelOneV1_Empty = datatable ( + accountId_s:string, + accountName_s:string, + activityType_d:real, + createdAt_t:datetime , + data_accountName_s:string, + data_fullScopeDetails_s:string, + data_scopeLevel_s:string, + data_scopeName_s:string, + data_siteId_d:int, + data_siteName_s:string, + data_username_s:string, + id_s:string, + primaryDescription_s:string, + siteId_s:string, + siteName_s:string, + updatedAt_t:datetime , + userId_s:string, + event_name_s:string, + data_byUser_s:string, + data_role_s:string, + data_userScope_s:string, + description_s:string, + data_source_s:string, + data_expiryDateStr_s:string, + data_expiryTime_d:int, + data_networkquarantine_b:bool, + data_ruleCreationTime_d:int, + data_ruleDescription_s:string, + data_ruleExpirationMode_s:string, + data_ruleId_d:int, + data_ruleName_s:string, + data_ruleQueryDetails_s:string, + data_ruleQueryType_s:string, + data_ruleSeverity_s:string, + data_scopeId_d:int, + data_status_s:string, + data_systemUser_d:int, + data_treatasthreat_s:string, + data_userId_d:int, + data_userName_s:string, + secondaryDescription_s:string, + agentId_s:string, + data_computerName_s:string, + data_externalIp_s:string, + data_groupName_s:string, + data_system_b:bool, + data_uuid_g:string, + groupId_s:string, + groupName_s:string, + data_group_s:string, + data_optionalGroups_s:string, + data_createdAt_t:string, + data_downloadUrl_s:string, + data_filePath_s:string, + data_filename_s:string, + data_uploadedFilename_s:string, + comments_s:string, + data_newValue_s:string, + data_policy_id_s:string, + data_policyName_s:string, + data_newValue_b:bool, + data_shouldReboot_b:bool, + data_roleName_s:string, + data_scopeLevelName_s:string, + activeDirectory_computerDistinguishedName_s:string, + activeDirectory_computerMemberOf_s:string, + activeDirectory_lastUserDistinguishedName_s:string, + activeDirectory_lastUserMemberOf_s:string, + activeThreats_d:real, + agentVersion_s:string, + allowRemoteShell_b:bool, + appsVulnerabilityStatus_s:string, + computerName_s:string, + consoleMigrationStatus_s:string, + coreCount_d:real, + cpuCount_d:real , + cpuId_s:string, + domain_s:string, + encryptedApplications_b:bool, + externalId_s:string, + externalIp_s:string, + firewallEnabled_b:bool, + groupIp_s:string, + inRemoteShellSession_b:bool, + infected_b:bool, + installerType_s:string, + isActive_b:bool, + isDecommissioned_b:bool, + isPendingUninstall_b:bool, + isUninstalled_b:bool, + isUpToDate_b:bool, + lastActiveDate_t:string, + lastIpToMgmt_s:string, + lastLoggedInUserName_s:string, + licenseKey_s:string, + locationEnabled_b:bool, + locationType_s:string, + locations_s:string, + machineType_s:string, + mitigationMode_s:string, + mitigationModeSuspicious_s:string, + modelName_s:string, + networkInterfaces_s:string, + networkQuarantineEnabled_b:bool, + networkStatus_s:string, + operationalState_s:string, + osArch_s:string, + osName_s:string, + osRevision_s:string, + osStartTime_t:datetime , + osType_s:string, + rangerStatus_s:string, + rangerVersion_s:string, + registeredAt_t:string, + remoteProfilingState_s:string, + scanFinishedAt_t:string, + scanStartedAt_t:string, + scanStatus_s:string, + threatRebootRequired_b:bool, + totalMemory_d:real , + userActionsNeeded_s:string, + uuid_g:string, + creator_s:string, + creatorId_s:string, + inherits_b:string , + isDefault_b:string , + name_s:string, + registrationToken_s:string, + totalAgents_d:real , + type_s:string + )[]; + let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty + | extend EventVendor="SentinelOne", EventProduct="SentinelOne", - AccountId=column_ifexists('accountId_s', ''), - AccountName=column_ifexists('accountName_s', ''), - ActivityType=column_ifexists('activityType_d', ''), - EventCreationTime=column_ifexists('createdAt_t', ''), - DataAccountName=column_ifexists('data_accountName_s', ''), - DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''), - DataScopeLevel=column_ifexists('data_scopeLevel_s', ''), - DataScopeName=column_ifexists('data_scopeName_s', ''), - DataSiteId=column_ifexists('data_siteId_d', ''), - DataSiteName=column_ifexists('data_siteName_s', ''), - SrcUserName=column_ifexists('data_username_s', ''), - EventId=column_ifexists('id_s', ''), - EventOriginalMessage=column_ifexists('primaryDescription_s', ''), - SiteId=column_ifexists('siteId_s', ''), - SiteName=column_ifexists('siteName_s', ''), - UpdatedAt=column_ifexists('updatedAt_t', ''), - UserIdentity=column_ifexists('userId_s', ''), - EventType=column_ifexists('event_name_s', ''), - DataByUser=column_ifexists('data_byUser_s', ''), - DataRole=column_ifexists('data_role_s', ''), - DataUserScope=column_ifexists('data_userScope_s', ''), - EventTypeDetailed=column_ifexists('description_s', ''), - DataSource=column_ifexists('data_source_s', ''), - DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), - DataExpiryTime=column_ifexists('data_expiryTime_d', ''), - DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), - DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), - DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), - DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), - DataRuleId=column_ifexists('data_ruleId_d', ''), - DataRuleName=column_ifexists('data_ruleName_s', ''), - DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''), - DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''), - DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''), - DataScopeId=column_ifexists('data_scopeId_d', ''), - DataStatus=column_ifexists('data_status_s', ''), - DataSystemUser=column_ifexists('data_systemUser_d', ''), - DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''), - DataUserId=column_ifexists('data_userId_d', ''), - DataUserName=column_ifexists('data_userName_s', ''), - EventSubStatus=column_ifexists('secondaryDescription_s', ''), - AgentId=column_ifexists('agentId_s', ''), - DataComputerName=column_ifexists('data_computerName_s', ''), - DataExternalIp=column_ifexists('data_externalIp_s', ''), - DataGroupName=column_ifexists('data_groupName_s', ''), - DataSystem=column_ifexists('data_system_b', ''), - DataUuid=column_ifexists('data_uuid_g', ''), - GroupId=column_ifexists('groupId_s', ''), - GroupName=column_ifexists('groupName_s', ''), - DataGroup=column_ifexists('data_group_s', ''), - DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''), - DataCreatedAt=column_ifexists('data_createdAt_t', ''), - DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''), - DataFilePath=column_ifexists('data_filePath_s', ''), - DataFilename=column_ifexists('data_filename_s', ''), - DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''), - Comments=column_ifexists('comments_s', ''), - DataNewValue=column_ifexists('data_newValue_s', ''), - DataPolicyId=column_ifexists('data_policy_id_s', ''), - DataPolicyName=column_ifexists('data_policyName_s', ''), - DataNewValueb=column_ifexists('data_newValue_b', ''), - DataShouldReboot=column_ifexists('data_shouldReboot_b', ''), - DataRoleName=column_ifexists('data_roleName_s', ''), - DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''), - ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''), - ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''), - ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''), - ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''), - ActiveThreats=column_ifexists('activeThreats_d', ''), - AgentVersion=column_ifexists('agentVersion_s', ''), - AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''), - AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''), - ComputerName=column_ifexists('computerName_s', ''), - ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''), - CoreCount=column_ifexists('coreCount_d', ''), - CpuCount=column_ifexists('cpuCount_d', ''), - CpuId=column_ifexists('cpuId_s', ''), - SrcDvcDomain=column_ifexists('domain_s', ''), - EncryptedApplications=column_ifexists('encryptedApplications_b', ''), - ExternalId=column_ifexists('externalId_s', ''), - ExternalIp=column_ifexists('externalIp_s', ''), - FirewallEnabled=column_ifexists('firewallEnabled_b', ''), - GroupIp=column_ifexists('groupIp_s', ''), - InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''), - Infected=column_ifexists('infected_b', ''), - InstallerType=column_ifexists('installerType_s', ''), - IsActive=column_ifexists('isActive_b', ''), - IsDecommissioned=column_ifexists('isDecommissioned_b', ''), - IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''), - IsUninstalled=column_ifexists('isUninstalled_b', ''), - IsUpToDate=column_ifexists('isUpToDate_b', ''), - LastActiveDate=column_ifexists('lastActiveDate_t', ''), - LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''), - LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''), - LicenseKey=column_ifexists('licenseKey_s', ''), - LocationEnabled=column_ifexists('locationEnabled_b', ''), - LocationType=column_ifexists('locationType_s', ''), - Locations=column_ifexists('locations_s', ''), - MachineType=column_ifexists('machineType_s', ''), - MitigationMode=column_ifexists('mitigationMode_s', ''), - MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), - SrcDvcModelName=column_ifexists('modelName_s', ''), - NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), - NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), - NetworkStatus=column_ifexists('networkStatus_s', ''), - OperationalState=column_ifexists('operationalState_s', ''), - OsArch=column_ifexists('osArch_s', ''), - SrcDvcOs=column_ifexists('osName_s', ''), - OsRevision=column_ifexists('osRevision_s', ''), - OsStartTime=column_ifexists('osStartTime_t', ''), - OsType=column_ifexists('osType_s', ''), - RangerStatus=column_ifexists('rangerStatus_s', ''), - RangerVersion=column_ifexists('rangerVersion_s', ''), - RegisteredAt=column_ifexists('registeredAt_t', ''), - RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''), - ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''), - ScanStartedAt=column_ifexists('scanStartedAt_t', ''), - ScanStatus=column_ifexists('scanStatus_s', ''), - ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''), - TotalMemory=column_ifexists('totalMemory_d', ''), - UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''), - Uuid=column_ifexists('uuid_g', ''), - Creator=column_ifexists('creator_s', ''), - CreatorId=column_ifexists('creatorId_s', ''), - Inherits=column_ifexists('inherits_b', ''), - IsDefault=column_ifexists('isDefault_b', ''), - Name=column_ifexists('name_s', ''), - RegistrationToken=column_ifexists('registrationToken_s', ''), - TotalAgents=column_ifexists('totalAgents_d', ''), - Type=column_ifexists('type_s', '') - | project - TimeGenerated, - EventVendor, - EventProduct, - AccountName, - ActivityType, - EventCreationTime, - DataAccountName, - DataFullScopeDetails, - DataScopeLevel, - DataScopeName, - DataSiteId, - DataSiteName, - SrcUserName, - EventId, - EventOriginalMessage, - SiteId, - SiteName, - UpdatedAt, - UserIdentity, - EventType, - DataByUser, - DataRole, - DataUserScope, - EventTypeDetailed, - DataSource, - DataExpiryDateStr, - DataExpiryTime, - DataNetworkquarantine, - DataRuleCreationTime, - DataRuleDescription, - DataRuleExpirationMode, - DataRuleId, - DataRuleName, - DataRuleQueryDetails, - DataRuleQueryType, - DataRuleSeverity, - DataScopeId, - DataStatus, - DataSystemUser, - DataTreatasthreat, - DataUserId, - DataUserName, - EventSubStatus, - AgentId, - DataComputerName, - DataExternalIp, - DataGroupName, - DataSystem, - DataUuid, - GroupId, - GroupName, - DataGroup, - DataOptionalGroups, - DataCreatedAt, - DataDownloadUrl, - DataFilePath, - DataFilename, - DataUploadedFilename, - Comments, - DataNewValue, - DataPolicyId, - DataPolicyName, - DataNewValueb, - DataShouldReboot, - DataRoleName, - DataScopeLevelName, - ActiveDirectoryComputerDistinguishedName, - ActiveDirectoryComputerMemberOf, - ActiveDirectoryLastUserDistinguishedName, - ActiveDirectoryLastUserMemberOf, - ActiveThreats, - AgentVersion, - AllowRemoteShell, - AppsVulnerabilityStatus, - ComputerName, - ConsoleMigrationStatus, - CoreCount, - CpuCount, - CpuId, - SrcDvcDomain, - EncryptedApplications, - ExternalId, - ExternalIp, - FirewallEnabled, - GroupIp, - InRemoteShellSession, - Infected, - InstallerType, - IsActive, - IsDecommissioned, - IsPendingUninstall, - IsUninstalled, - IsUpToDate, - LastActiveDate, - LastIpToMgmt, - LastLoggedInUserName, - LicenseKey, - LocationEnabled, - LocationType, - Locations, - MachineType, - MitigationMode, - MitigationModeSuspicious, - SrcDvcModelName, - NetworkInterfaces, - NetworkQuarantineEnabled, - NetworkStatus, - OperationalState, - OsArch, - SrcDvcOs, - OsRevision, - OsStartTime, - OsType, - RangerStatus, - RangerVersion, - RegisteredAt, - RemoteProfilingState, - ScanFinishedAt, - ScanStartedAt, - ScanStatus, - ThreatRebootRequired, - TotalMemory, - UserActionsNeeded, - Uuid, - Creator, - CreatorId, - Inherits, - IsDefault, - Name, - RegistrationToken, - TotalAgents, - Type - }; - SentinelOne_view \ No newline at end of file + AccountId=column_ifexists('accountId_s', ''), + AccountName=column_ifexists('accountName_s', ''), + ActivityType=toreal(column_ifexists('activityType_d', '')), + EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')), + DataAccountName=column_ifexists('data_accountName_s', ''), + DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''), + DataScopeLevel=column_ifexists('data_scopeLevel_s', ''), + DataScopeName=column_ifexists('data_scopeName_s', ''), + DataSiteId=column_ifexists('data_siteId_d', ''), + DataSiteName=column_ifexists('data_siteName_s', ''), + SrcUserName=column_ifexists('data_username_s', ''), + EventId=column_ifexists('id_s', ''), + EventOriginalMessage=column_ifexists('primaryDescription_s', ''), + PrimaryDescription=column_ifexists('primaryDescription_s', ''), + SiteId=column_ifexists('siteId_s', ''), + SiteName=column_ifexists('siteName_s', ''), + UpdatedAt=column_ifexists('updatedAt_t', ''), + UserIdentity=column_ifexists('userId_s', ''), + UserId=column_ifexists('userId_s', ''), + EventType=column_ifexists('event_name_s', ''), + DataByUser=column_ifexists('data_byUser_s', ''), + DataRole=column_ifexists('data_role_s', ''), + DataUserScope=column_ifexists('data_userScope_s', ''), + EventTypeDetailed=column_ifexists('description_s', ''), + DataSource=column_ifexists('data_source_s', ''), + DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), + DataExpiryTime=column_ifexists('data_expiryTime_d', ''), + DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), + DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), + DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), + DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), + DataRuleId=column_ifexists('data_ruleId_d', ''), + DataRuleName=column_ifexists('data_ruleName_s', ''), + DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''), + DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''), + DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''), + DataScopeId=column_ifexists('data_scopeId_d', ''), + Id=column_ifexists('id_s', ''), + DataStatus=column_ifexists('data_status_s', ''), + DataSystemUser=column_ifexists('data_systemUser_d', ''), + DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''), + DataUserId=column_ifexists('data_userId_d', ''), + DataUserName=column_ifexists('data_userName_s', ''), + EventSubStatus=column_ifexists('secondaryDescription_s', ''), + SecondaryDescription=column_ifexists('secondaryDescription_s', ''), + AgentId=column_ifexists('agentId_s', ''), + DataComputerName=column_ifexists('data_computerName_s', ''), + DataExternalIp=column_ifexists('data_externalIp_s', ''), + DataGroupName=column_ifexists('data_groupName_s', ''), + DataSystem=column_ifexists('data_system_b', ''), + DataUuid=column_ifexists('data_uuid_g', ''), + GroupId=column_ifexists('groupId_s', ''), + GroupName=column_ifexists('groupName_s', ''), + DataGroup=column_ifexists('data_group_s', ''), + DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''), + DataCreatedAt=column_ifexists('data_createdAt_t', ''), + DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''), + DataFilePath=column_ifexists('data_filePath_s', ''), + DataFilename=column_ifexists('data_filename_s', ''), + DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''), + Comments=column_ifexists('comments_s', ''), + DataNewValue=column_ifexists('data_newValue_s', ''), + DataPolicyId=column_ifexists('data_policy_id_s', ''), + DataPolicyName=column_ifexists('data_policyName_s', ''), + DataNewValueb=column_ifexists('data_newValue_b', ''), + DataShouldReboot=column_ifexists('data_shouldReboot_b', ''), + DataRoleName=column_ifexists('data_roleName_s', ''), + DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''), + ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''), + ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''), + ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''), + ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''), + ActiveThreats=column_ifexists('activeThreats_d', ''), + AgentVersion=column_ifexists('agentVersion_s', ''), + AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''), + AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''), + ComputerName=column_ifexists('computerName_s', ''), + ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''), + CoreCount=column_ifexists('coreCount_d', ''), + CpuCount=column_ifexists('cpuCount_d', ''), + CpuId=column_ifexists('cpuId_s', ''), + SrcDvcDomain=column_ifexists('domain_s', ''), + EncryptedApplications=column_ifexists('encryptedApplications_b', ''), + ExternalId=column_ifexists('externalId_s', ''), + ExternalIp=column_ifexists('externalIp_s', ''), + FirewallEnabled=column_ifexists('firewallEnabled_b', ''), + GroupIp=column_ifexists('groupIp_s', ''), + InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''), + Infected=column_ifexists('infected_b', ''), + InstallerType=column_ifexists('installerType_s', ''), + IsActive=column_ifexists('isActive_b', ''), + IsDecommissioned=column_ifexists('isDecommissioned_b', ''), + IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''), + IsUninstalled=column_ifexists('isUninstalled_b', ''), + IsUpToDate=column_ifexists('isUpToDate_b', ''), + LastActiveDate=column_ifexists('lastActiveDate_t', ''), + LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''), + LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''), + LicenseKey=column_ifexists('licenseKey_s', ''), + LocationEnabled=column_ifexists('locationEnabled_b', ''), + LocationType=column_ifexists('locationType_s', ''), + Locations=column_ifexists('locations_s', ''), + MachineType=column_ifexists('machineType_s', ''), + MitigationMode=column_ifexists('mitigationMode_s', ''), + MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), + SrcDvcModelName=column_ifexists('modelName_s', ''), + NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), + NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), + NetworkStatus=column_ifexists('networkStatus_s', ''), + OperationalState=column_ifexists('operationalState_s', ''), + OsArch=column_ifexists('osArch_s', ''), + SrcDvcOs=column_ifexists('osName_s', ''), + OsRevision=column_ifexists('osRevision_s', ''), + OsStartTime=column_ifexists('osStartTime_t', ''), + OsType=column_ifexists('osType_s', ''), + RangerStatus=column_ifexists('rangerStatus_s', ''), + RangerVersion=column_ifexists('rangerVersion_s', ''), + RegisteredAt=column_ifexists('registeredAt_t', ''), + RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''), + ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''), + ScanStartedAt=column_ifexists('scanStartedAt_t', ''), + ScanStatus=column_ifexists('scanStatus_s', ''), + ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''), + TotalMemory=column_ifexists('totalMemory_d', ''), + UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''), + Uuid=column_ifexists('uuid_g', ''), + Creator=column_ifexists('creator_s', ''), + CreatedAt=column_ifexists('createdAt_t',''), + CreatorId=column_ifexists('creatorId_s', ''), + Inherits=column_ifexists('inherits_b', ''), + IsDefault=column_ifexists('isDefault_b', ''), + Name=column_ifexists('name_s', ''), + RegistrationToken=column_ifexists('registrationToken_s', ''), + TotalAgents=column_ifexists('totalAgents_d', ''), + Type=column_ifexists('type_s', ''); + union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union + | extend + ActivityType, + EventVendor="SentinelOne", + EventProduct="SentinelOne", + DataAccountName=tostring(parse_json(todynamic(Data)).accountName), + DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails), + DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel), + DataScopeName=tostring(parse_json(todynamic(Data)).scopeName), + DataSiteId=tostring(parse_json(todynamic(Data)).siteId), + DataSiteName=tostring(parse_json(todynamic(Data)).siteName), + SrcUserName=tostring(parse_json(todynamic(Data)).userName), + EventId=Id, + SourceParentProcessInfo, + EventOriginalMessage=PrimaryDescription, + UserIdentity=UserId, + EventTypeDetailed=Description, + DataRuleId=tostring(parse_json(todynamic(Data)).ruleId), + DataRuleName=tostring(parse_json(todynamic(Data)).rulename), + DataScopeId=tostring(parse_json(todynamic(Data)).scopeId), + DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser), + DataUserId=tostring(parse_json(todynamic(Data)).userId), + DataUserName=tostring(parse_json(todynamic(Data)).userName), + EventSubStatus=SecondaryDescription, + DataComputerName=tostring(parse_json(todynamic(Data)).computerName), + DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp), + DataGroupName=tostring(parse_json(todynamic(Data)).groupName), + DataStatus=tostring(parse_json(todynamic(Data)).status), + DataByUser=tostring(parse_json(todynamic(Data)).byUser), + DataRole=tostring(parse_json(todynamic(Data)).role), + DataUserScope=tostring(parse_json(todynamic(Data)).userScope), + DataSource=tostring(parse_json(todynamic(Data)).source), + DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), + DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), + DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine), + DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), + DataUuid=Uuid, + DataGroup=tostring(parse_json(todynamic(Data)).group), + DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription), + EventType=tostring(parse_json(todynamic(AlertInfo)).eventType), + DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode), + DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails), + DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType), + DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity), + DataSystem=tostring(parse_json(todynamic(Data)).system), + DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups), + DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt), + DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl), + DataFilePath=tostring(parse_json(todynamic(Data)).filePath), + DataFilename=tostring(parse_json(todynamic(Data)).filename), + DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename), + DataNewValue=tostring(parse_json(todynamic(Data)).newValue), + DataPolicyId=tostring(parse_json(todynamic(Data)).policyId), + DataPolicyName=tostring(parse_json(todynamic(Data)).policyName), + DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot), + DataRoleName=tostring(parse_json(todynamic(Data)).roleName), + DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName), + ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName), + ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf), + ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), + ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), + SrcDvcDomain=Domain, + AlertInfo, + FirewallEnabled=column_ifexists('FirewallEnabled',''), + LocationEnabled=column_ifexists('LocationEnabled',''), + SrcDvcModelName=ModelName, + NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''), + SrcDvcOs=OsName, + SourceProcessInfo, + RuleInfo, + TargetProcessInfo, + ContainerInfo, + EventCreationTime=CreatedAt, + RemoteProfilingState=column_ifexists('RemoteProfilingState','') + | project + TimeGenerated, + EventVendor, + EventProduct, + AccountName, + SourceParentProcessInfo, + TargetProcessInfo, + ActivityType, + EventCreationTime, + DataAccountName, + DataFullScopeDetails, + DataScopeLevel, + DataScopeName, + DataSiteId, + SourceProcessInfo, + DataSiteName, + SrcUserName, + EventId, + EventOriginalMessage, + SiteId, + SiteName, + UpdatedAt, + UserIdentity, + EventType, + DataByUser, + DataRole, + DataUserScope, + EventTypeDetailed, + DataSource, + DataExpiryDateStr, + DataExpiryTime, + DataNetworkquarantine, + DataRuleCreationTime, + DataRuleDescription, + DataRuleExpirationMode, + DataRuleId, + DataRuleName, + DataRuleQueryDetails, + DataRuleQueryType, + DataRuleSeverity, + DataScopeId, + DataStatus, + DataSystemUser, + DataTreatasthreat, + DataUserId, + DataUserName, + EventSubStatus, + AgentId, + DataComputerName, + DataExternalIp, + DataGroupName, + DataSystem, + DataUuid, + GroupId, + GroupName, + DataGroup, + DataOptionalGroups, + DataCreatedAt, + DataDownloadUrl, + DataFilePath, + DataFilename, + DataUploadedFilename, + Comments, + DataNewValue, + DataPolicyId, + DataPolicyName, + DataNewValueb, + DataShouldReboot, + DataRoleName, + DataScopeLevelName, + ActiveDirectoryComputerDistinguishedName, + ActiveDirectoryComputerMemberOf, + ActiveDirectoryLastUserDistinguishedName, + ActiveDirectoryLastUserMemberOf, + ActiveThreats=toreal(activeThreats_d), + AgentVersion, + AllowRemoteShell, + AppsVulnerabilityStatus, + ComputerName, + ConsoleMigrationStatus, + CoreCount=toreal(coreCount_d), + CpuCount=toreal(cpuCount_d), + CpuId, + SrcDvcDomain, + EncryptedApplications, + ExternalId, + ExternalIp, + FirewallEnabled, + GroupIp, + InRemoteShellSession, + Infected, + InstallerType, + IsActive, + IsDecommissioned, + IsPendingUninstall, + IsUninstalled, + IsUpToDate, + LastActiveDate=tostring(LastActiveDate_datetime), + LastIpToMgmt, + LastLoggedInUserName, + LicenseKey, + LocationEnabled, + LocationType, + Locations, + MachineType, + MitigationMode, + MitigationModeSuspicious, + SrcDvcModelName, + NetworkInterfaces, + NetworkQuarantineEnabled, + NetworkStatus, + OperationalState, + OsArch, + SrcDvcOs, + OsRevision, + OsStartTime, + OsType, + RangerStatus, + RangerVersion, + RegisteredAt=tostring(RegisteredAt_datetime), + RemoteProfilingState, + ScanFinishedAt=tostring(ScanFinishedAt_datetime), + ScanStartedAt=tostring(ScanStartedAt_datetime), + ScanStatus, + ThreatRebootRequired, + TotalMemory=toreal(totalMemory_d), + UserActionsNeeded, + Uuid, + Creator, + CreatorId, + Inherits, + IsDefault, + Name, + AlertInfo, + RuleInfo, + ContainerInfo, + RegistrationToken, + TotalAgents=totalAgents_d, + Type; + }; + SentinelOne_view \ No newline at end of file diff --git a/Solutions/SentinelOne/Parsers/newParser.txt b/Solutions/SentinelOne/Parsers/newParser.txt new file mode 100644 index 00000000000..3562373bb25 --- /dev/null +++ b/Solutions/SentinelOne/Parsers/newParser.txt @@ -0,0 +1,633 @@ +let SentinelOne_view = view () { +let SentinelOneV2_Empty = datatable( + AccountId:string, + AccountName:string, + ActivityType:real , + EventCreationTime:datetime, + DataAccountName:string, + DataFullScopeDetails:string, + DataScopeLevel:string, + DataScopeName:string, + DataSiteId:int, + SecondaryDescription:string , + DataSiteName:string, + SourceProcessInfo:string, + SrcUserName:string, + EventId:string, + EventOriginalMessage:string, + SiteId:string, + SiteName:string, + UpdatedAt:datetime , + UserIdentity:string, + EventType:string, + DataByUser:string, + DataRole:string, + DataUserScope:string, + EventTypeDetailed:string, + DataSource:string, + DataExpiryDateStr:string, + DataExpiryTime:int, + DataNetworkquarantine:bool, + DataRuleCreationTime:int, + DataRuleDescription:string, + DataRuleExpirationMode:string, + DataRuleId:int, + DataRuleName:string, + DataRuleQueryDetails:string, + DataRuleQueryType:string, + DataRuleSeverity:string, + DataScopeId:int, + DataStatus:string, + DataSystemUser:int, + DataTreatasthreat:string, + DataUserId:int, + RuleInfo:string, + AgentDetectionInfo:string , + DataUserName:string, + EventSubStatus:string, + AgentId:string, + DataComputerName:string, + DataExternalIp:string, + DataGroupName:string, + DataSystem:bool, + DataUuid:string, + GroupId:string, + GroupName:string, + DataGroup:string, + UserId:string , + DataOptionalGroups:string, + DataCreatedAt:string, + DataDownloadUrl:string, + DataFilePath:string, + DataFilename:string, + DataUploadedFilename:string, + Comments:string, + DataNewValue:string, + DataPolicyId:string, + DataPolicyName:string, + DataNewValueb:string, + DataShouldReboot:bool, + DataRoleName:string, + DataScopeLevelName:string, + ActiveDirectoryComputerDistinguishedName:string, + ActiveDirectoryComputerMemberOf:string, + ActiveDirectoryLastUserDistinguishedName:string, + ActiveDirectoryLastUserMemberOf:string, + ActiveThreats:int, + AgentVersion:string, + AllowRemoteShell:bool, + AppsVulnerabilityStatus:string, + ComputerName:string, + ConsoleMigrationStatus:string, + CoreCount:int, + CpuCount:int, + CpuId:string, + SrcDvcDomain:string, + EncryptedApplications:bool, + ExternalId:string, + ExternalIp:string, + FirewallEnabled:bool, + GroupIp:string, + InRemoteShellSession:bool, + Infected:bool, + InstallerType:string, + IsActive:bool, + IsDecommissioned:bool, + IsPendingUninstall:bool, + IsUninstalled:bool, + IsUpToDate:bool, + LastActiveDate:string, + TargetProcessInfo:string , + LastIpToMgmt:string, + LastLoggedInUserName:string, + LicenseKey:string, + LocationEnabled:bool, + LocationType:string, + Locations:string, + MachineType:string, + MitigationMode:string, + MitigationModeSuspicious:string, + SrcDvcModelName:string, + NetworkInterfaces:string, + NetworkQuarantineEnabled:bool, + NetworkStatus:string, + OperationalState:string, + OsArch:string, + SrcDvcOs:string, + OsRevision:string, + OsStartTime:datetime , + OsType:string, + RangerStatus:string, + RangerVersion:string, + RegisteredAt:string, + RemoteProfilingState:string, + ScanFinishedAt:string, + ScanStartedAt:string, + ScanStatus:string, + ThreatRebootRequired:bool, + TotalMemory:int, + SourceParentProcessInfo:string , + UserActionsNeeded:string, + Uuid:string, + Creator:string, + ContainerInfo:string, + CreatorId:string, + Inherits:string , + IsDefault:string , + Name:string, + RegistrationToken:string, + AlertInfo:string, + PrimaryDescription:string , + TotalAgents:real , + CreatedAt:datetime , + Id:string, + Type:string + )[]; +let SentinelOneV1_Empty = datatable ( + accountId_s:string, + accountName_s:string, + activityType_d:real, + createdAt_t:datetime , + data_accountName_s:string, + data_fullScopeDetails_s:string, + data_scopeLevel_s:string, + data_scopeName_s:string, + data_siteId_d:int, + data_siteName_s:string, + data_username_s:string, + id_s:string, + primaryDescription_s:string, + siteId_s:string, + siteName_s:string, + updatedAt_t:datetime , + userId_s:string, + event_name_s:string, + data_byUser_s:string, + data_role_s:string, + data_userScope_s:string, + description_s:string, + data_source_s:string, + data_expiryDateStr_s:string, + data_expiryTime_d:int, + data_networkquarantine_b:bool, + data_ruleCreationTime_d:int, + data_ruleDescription_s:string, + data_ruleExpirationMode_s:string, + data_ruleId_d:int, + data_ruleName_s:string, + data_ruleQueryDetails_s:string, + data_ruleQueryType_s:string, + data_ruleSeverity_s:string, + data_scopeId_d:int, + data_status_s:string, + data_systemUser_d:int, + data_treatasthreat_s:string, + data_userId_d:int, + data_userName_s:string, + secondaryDescription_s:string, + agentId_s:string, + data_computerName_s:string, + data_externalIp_s:string, + data_groupName_s:string, + data_system_b:bool, + data_uuid_g:string, + groupId_s:string, + groupName_s:string, + data_group_s:string, + data_optionalGroups_s:string, + data_createdAt_t:string, + data_downloadUrl_s:string, + data_filePath_s:string, + data_filename_s:string, + data_uploadedFilename_s:string, + comments_s:string, + data_newValue_s:string, + data_policy_id_s:string, + data_policyName_s:string, + data_newValue_b:bool, + data_shouldReboot_b:bool, + data_roleName_s:string, + data_scopeLevelName_s:string, + activeDirectory_computerDistinguishedName_s:string, + activeDirectory_computerMemberOf_s:string, + activeDirectory_lastUserDistinguishedName_s:string, + activeDirectory_lastUserMemberOf_s:string, + activeThreats_d:real, + agentVersion_s:string, + allowRemoteShell_b:bool, + appsVulnerabilityStatus_s:string, + computerName_s:string, + consoleMigrationStatus_s:string, + coreCount_d:real, + cpuCount_d:real , + cpuId_s:string, + domain_s:string, + encryptedApplications_b:bool, + externalId_s:string, + externalIp_s:string, + firewallEnabled_b:bool, + groupIp_s:string, + inRemoteShellSession_b:bool, + infected_b:bool, + installerType_s:string, + isActive_b:bool, + isDecommissioned_b:bool, + isPendingUninstall_b:bool, + isUninstalled_b:bool, + isUpToDate_b:bool, + lastActiveDate_t:string, + lastIpToMgmt_s:string, + lastLoggedInUserName_s:string, + licenseKey_s:string, + locationEnabled_b:bool, + locationType_s:string, + locations_s:string, + machineType_s:string, + mitigationMode_s:string, + mitigationModeSuspicious_s:string, + modelName_s:string, + networkInterfaces_s:string, + networkQuarantineEnabled_b:bool, + networkStatus_s:string, + operationalState_s:string, + osArch_s:string, + osName_s:string, + osRevision_s:string, + osStartTime_t:datetime , + osType_s:string, + rangerStatus_s:string, + rangerVersion_s:string, + registeredAt_t:string, + remoteProfilingState_s:string, + scanFinishedAt_t:string, + scanStartedAt_t:string, + scanStatus_s:string, + threatRebootRequired_b:bool, + totalMemory_d:real , + userActionsNeeded_s:string, + uuid_g:string, + creator_s:string, + creatorId_s:string, + inherits_b:string , + isDefault_b:string , + name_s:string, + registrationToken_s:string, + totalAgents_d:real , + type_s:string + )[]; + let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty + | extend + EventVendor="SentinelOne", + EventProduct="SentinelOne", + AccountId=column_ifexists('accountId_s', ''), + AccountName=column_ifexists('accountName_s', ''), + ActivityType=toreal(column_ifexists('activityType_d', '')), + EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')), + DataAccountName=column_ifexists('data_accountName_s', ''), + DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''), + DataScopeLevel=column_ifexists('data_scopeLevel_s', ''), + DataScopeName=column_ifexists('data_scopeName_s', ''), + DataSiteId=column_ifexists('data_siteId_d', ''), + DataSiteName=column_ifexists('data_siteName_s', ''), + SrcUserName=column_ifexists('data_username_s', ''), + EventId=column_ifexists('id_s', ''), + EventOriginalMessage=column_ifexists('primaryDescription_s', ''), + PrimaryDescription=column_ifexists('primaryDescription_s', ''), + SiteId=column_ifexists('siteId_s', ''), + SiteName=column_ifexists('siteName_s', ''), + UpdatedAt=column_ifexists('updatedAt_t', ''), + UserIdentity=column_ifexists('userId_s', ''), + UserId=column_ifexists('userId_s', ''), + EventType=column_ifexists('event_name_s', ''), + DataByUser=column_ifexists('data_byUser_s', ''), + DataRole=column_ifexists('data_role_s', ''), + DataUserScope=column_ifexists('data_userScope_s', ''), + EventTypeDetailed=column_ifexists('description_s', ''), + DataSource=column_ifexists('data_source_s', ''), + DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), + DataExpiryTime=column_ifexists('data_expiryTime_d', ''), + DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), + DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), + DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), + DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), + DataRuleId=column_ifexists('data_ruleId_d', ''), + DataRuleName=column_ifexists('data_ruleName_s', ''), + DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''), + DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''), + DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''), + DataScopeId=column_ifexists('data_scopeId_d', ''), + Id=column_ifexists('id_s', ''), + DataStatus=column_ifexists('data_status_s', ''), + DataSystemUser=column_ifexists('data_systemUser_d', ''), + DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''), + DataUserId=column_ifexists('data_userId_d', ''), + DataUserName=column_ifexists('data_userName_s', ''), + EventSubStatus=column_ifexists('secondaryDescription_s', ''), + SecondaryDescription=column_ifexists('secondaryDescription_s', ''), + AgentId=column_ifexists('agentId_s', ''), + DataComputerName=column_ifexists('data_computerName_s', ''), + DataExternalIp=column_ifexists('data_externalIp_s', ''), + DataGroupName=column_ifexists('data_groupName_s', ''), + DataSystem=column_ifexists('data_system_b', ''), + DataUuid=column_ifexists('data_uuid_g', ''), + GroupId=column_ifexists('groupId_s', ''), + GroupName=column_ifexists('groupName_s', ''), + DataGroup=column_ifexists('data_group_s', ''), + DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''), + DataCreatedAt=column_ifexists('data_createdAt_t', ''), + DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''), + DataFilePath=column_ifexists('data_filePath_s', ''), + DataFilename=column_ifexists('data_filename_s', ''), + DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''), + Comments=column_ifexists('comments_s', ''), + DataNewValue=column_ifexists('data_newValue_s', ''), + DataPolicyId=column_ifexists('data_policy_id_s', ''), + DataPolicyName=column_ifexists('data_policyName_s', ''), + DataNewValueb=column_ifexists('data_newValue_b', ''), + DataShouldReboot=column_ifexists('data_shouldReboot_b', ''), + DataRoleName=column_ifexists('data_roleName_s', ''), + DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''), + ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''), + ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''), + ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''), + ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''), + ActiveThreats=column_ifexists('activeThreats_d', ''), + AgentVersion=column_ifexists('agentVersion_s', ''), + AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''), + AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''), + ComputerName=column_ifexists('computerName_s', ''), + ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''), + CoreCount=column_ifexists('coreCount_d', ''), + CpuCount=column_ifexists('cpuCount_d', ''), + CpuId=column_ifexists('cpuId_s', ''), + SrcDvcDomain=column_ifexists('domain_s', ''), + EncryptedApplications=column_ifexists('encryptedApplications_b', ''), + ExternalId=column_ifexists('externalId_s', ''), + ExternalIp=column_ifexists('externalIp_s', ''), + FirewallEnabled=column_ifexists('firewallEnabled_b', ''), + GroupIp=column_ifexists('groupIp_s', ''), + InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''), + Infected=column_ifexists('infected_b', ''), + InstallerType=column_ifexists('installerType_s', ''), + IsActive=column_ifexists('isActive_b', ''), + IsDecommissioned=column_ifexists('isDecommissioned_b', ''), + IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''), + IsUninstalled=column_ifexists('isUninstalled_b', ''), + IsUpToDate=column_ifexists('isUpToDate_b', ''), + LastActiveDate=column_ifexists('lastActiveDate_t', ''), + LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''), + LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''), + LicenseKey=column_ifexists('licenseKey_s', ''), + LocationEnabled=column_ifexists('locationEnabled_b', ''), + LocationType=column_ifexists('locationType_s', ''), + Locations=column_ifexists('locations_s', ''), + MachineType=column_ifexists('machineType_s', ''), + MitigationMode=column_ifexists('mitigationMode_s', ''), + MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), + SrcDvcModelName=column_ifexists('modelName_s', ''), + NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), + NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), + NetworkStatus=column_ifexists('networkStatus_s', ''), + OperationalState=column_ifexists('operationalState_s', ''), + OsArch=column_ifexists('osArch_s', ''), + SrcDvcOs=column_ifexists('osName_s', ''), + OsRevision=column_ifexists('osRevision_s', ''), + OsStartTime=column_ifexists('osStartTime_t', ''), + OsType=column_ifexists('osType_s', ''), + RangerStatus=column_ifexists('rangerStatus_s', ''), + RangerVersion=column_ifexists('rangerVersion_s', ''), + RegisteredAt=column_ifexists('registeredAt_t', ''), + RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''), + ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''), + ScanStartedAt=column_ifexists('scanStartedAt_t', ''), + ScanStatus=column_ifexists('scanStatus_s', ''), + ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''), + TotalMemory=column_ifexists('totalMemory_d', ''), + UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''), + Uuid=column_ifexists('uuid_g', ''), + Creator=column_ifexists('creator_s', ''), + CreatedAt=column_ifexists('createdAt_t',''), + CreatorId=column_ifexists('creatorId_s', ''), + Inherits=column_ifexists('inherits_b', ''), + IsDefault=column_ifexists('isDefault_b', ''), + Name=column_ifexists('name_s', ''), + RegistrationToken=column_ifexists('registrationToken_s', ''), + TotalAgents=column_ifexists('totalAgents_d', ''), + Type=column_ifexists('type_s', ''); + union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union + | extend + ActivityType, + EventVendor="SentinelOne", + EventProduct="SentinelOne", + DataAccountName=tostring(parse_json(todynamic(Data)).accountName), + DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails), + DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel), + DataScopeName=tostring(parse_json(todynamic(Data)).scopeName), + DataSiteId=tostring(parse_json(todynamic(Data)).siteId), + DataSiteName=tostring(parse_json(todynamic(Data)).siteName), + SrcUserName=tostring(parse_json(todynamic(Data)).userName), + EventId=Id, + SourceParentProcessInfo, + EventOriginalMessage=PrimaryDescription, + UserIdentity=UserId, + EventTypeDetailed=Description, + DataRuleId=tostring(parse_json(todynamic(Data)).ruleId), + DataRuleName=tostring(parse_json(todynamic(Data)).rulename), + DataScopeId=tostring(parse_json(todynamic(Data)).scopeId), + DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser), + DataUserId=tostring(parse_json(todynamic(Data)).userId), + DataUserName=tostring(parse_json(todynamic(Data)).userName), + EventSubStatus=SecondaryDescription, + DataComputerName=tostring(parse_json(todynamic(Data)).computerName), + DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp), + DataGroupName=tostring(parse_json(todynamic(Data)).groupName), + DataStatus=tostring(parse_json(todynamic(Data)).status), + DataByUser=tostring(parse_json(todynamic(Data)).byUser), + DataRole=tostring(parse_json(todynamic(Data)).role), + DataUserScope=tostring(parse_json(todynamic(Data)).userScope), + DataSource=tostring(parse_json(todynamic(Data)).source), + DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), + DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), + DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine), + DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), + DataUuid=Uuid, + DataGroup=tostring(parse_json(todynamic(Data)).group), + DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription), + EventType=tostring(parse_json(todynamic(AlertInfo)).eventType), + DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode), + DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails), + DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType), + DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity), + DataSystem=tostring(parse_json(todynamic(Data)).system), + DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups), + DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt), + DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl), + DataFilePath=tostring(parse_json(todynamic(Data)).filePath), + DataFilename=tostring(parse_json(todynamic(Data)).filename), + DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename), + DataNewValue=tostring(parse_json(todynamic(Data)).newValue), + DataPolicyId=tostring(parse_json(todynamic(Data)).policyId), + DataPolicyName=tostring(parse_json(todynamic(Data)).policyName), + DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot), + DataRoleName=tostring(parse_json(todynamic(Data)).roleName), + DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName), + ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName), + ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf), + ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), + ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), + SrcDvcDomain=Domain, + AlertInfo, + FirewallEnabled=column_ifexists('FirewallEnabled',''), + LocationEnabled=column_ifexists('LocationEnabled',''), + SrcDvcModelName=ModelName, + NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''), + SrcDvcOs=OsName, + SourceProcessInfo, + RuleInfo, + TargetProcessInfo, + ContainerInfo, + AgentDetectionInfo, + EventCreationTime=CreatedAt, + RemoteProfilingState=column_ifexists('RemoteProfilingState','') + | project + TimeGenerated, + AgentDetectionInfo, + EventVendor, + EventProduct, + AccountName, + SourceParentProcessInfo, + TargetProcessInfo, + ActivityType, + EventCreationTime, + DataAccountName, + DataFullScopeDetails, + DataScopeLevel, + DataScopeName, + DataSiteId, + SourceProcessInfo, + DataSiteName, + SrcUserName, + EventId, + EventOriginalMessage, + SiteId, + SiteName, + UpdatedAt, + UserIdentity, + EventType, + DataByUser, + DataRole, + DataUserScope, + EventTypeDetailed, + DataSource, + DataExpiryDateStr, + DataExpiryTime, + DataNetworkquarantine, + DataRuleCreationTime, + DataRuleDescription, + DataRuleExpirationMode, + DataRuleId, + DataRuleName, + DataRuleQueryDetails, + DataRuleQueryType, + DataRuleSeverity, + DataScopeId, + DataStatus, + DataSystemUser, + DataTreatasthreat, + DataUserId, + DataUserName, + EventSubStatus, + AgentId, + DataComputerName, + DataExternalIp, + DataGroupName, + DataSystem, + DataUuid, + GroupId, + GroupName, + DataGroup, + DataOptionalGroups, + DataCreatedAt, + DataDownloadUrl, + DataFilePath, + DataFilename, + DataUploadedFilename, + Comments, + DataNewValue, + DataPolicyId, + DataPolicyName, + DataNewValueb, + DataShouldReboot, + DataRoleName, + DataScopeLevelName, + ActiveDirectoryComputerDistinguishedName, + ActiveDirectoryComputerMemberOf, + ActiveDirectoryLastUserDistinguishedName, + ActiveDirectoryLastUserMemberOf, + ActiveThreats=toreal(activeThreats_d), + AgentVersion, + AllowRemoteShell, + AppsVulnerabilityStatus, + ComputerName, + ConsoleMigrationStatus, + CoreCount=toreal(coreCount_d), + CpuCount=toreal(cpuCount_d), + CpuId, + SrcDvcDomain, + EncryptedApplications, + ExternalId, + ExternalIp, + FirewallEnabled, + GroupIp, + InRemoteShellSession, + Infected, + InstallerType, + IsActive, + IsDecommissioned, + IsPendingUninstall, + IsUninstalled, + IsUpToDate, + LastActiveDate=tostring(LastActiveDate_datetime), + LastIpToMgmt, + LastLoggedInUserName, + LicenseKey, + LocationEnabled, + LocationType, + Locations, + MachineType, + MitigationMode, + MitigationModeSuspicious, + SrcDvcModelName, + NetworkInterfaces, + NetworkQuarantineEnabled, + NetworkStatus, + OperationalState, + OsArch, + SrcDvcOs, + OsRevision, + OsStartTime, + OsType, + RangerStatus, + RangerVersion, + RegisteredAt=tostring(RegisteredAt_datetime), + RemoteProfilingState, + ScanFinishedAt=tostring(ScanFinishedAt_datetime), + ScanStartedAt=tostring(ScanStartedAt_datetime), + ScanStatus, + ThreatRebootRequired, + TotalMemory=toreal(totalMemory_d), + UserActionsNeeded, + Uuid, + Creator, + CreatorId, + Inherits, + IsDefault, + Name, + AlertInfo, + RuleInfo, + ContainerInfo, + RegistrationToken, + TotalAgents=totalAgents_d, + Type; +}; +SentinelOne_view \ No newline at end of file diff --git a/Solutions/SentinelOne/SolutionMetadata.json b/Solutions/SentinelOne/SolutionMetadata.json index 024855ceb0b..6cfa0385e0e 100644 --- a/Solutions/SentinelOne/SolutionMetadata.json +++ b/Solutions/SentinelOne/SolutionMetadata.json @@ -1,7 +1,10 @@ { "publisherId": "azuresentinel", "offerId": "azure-sentinel-solution-sentinelone", - "firstPublishDate": "2022-04-01", + "SolutionVersion":"1.0.1", + "ConnectorDefinitionTemplateVersion": "1.0.1", + "DataConnectorsTemplateVersion": "1.0.1", + "firstPublishDate": "2024-11-26", "providers": [ "SentinelOne" ], "categories": { "domains": ["Security - Threat Protection"] From 659ee6cf85164b5a18b297723e957be49a6bf172 Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 4 Dec 2024 12:19:04 +0530 Subject: [PATCH 02/22] table schema added --- .../SentinelOneActivities_CL.json | 1297 +++++++++++++++++ .../CustomTables/SentinelOneAgents_CL.json | 1297 +++++++++++++++++ .../CustomTables/SentinelOneAlerts_CL.json | 1297 +++++++++++++++++ .../CustomTables/SentinelOneGroups_CL.json | 1297 +++++++++++++++++ .../CustomTables/SentinelOneThreats_CL.json | 1297 +++++++++++++++++ 5 files changed, 6485 insertions(+) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json new file mode 100644 index 00000000000..7636a51c810 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json @@ -0,0 +1,1297 @@ +{ + "Name":"SentinelOneActivities_CL", + "Properties":[ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "accountId_s", + "Type": "string" + }, + { + "Name": "accountName_s", + "Type": "string" + }, + { + "Name": "activityType_d", + "Type": "real" + }, + { + "Name": "createdAt_t", + "Type": "datetime" + }, + { + "Name": "data_accountName_s", + "Type": "string" + }, + { + "Name": "data_fullScopeDetails_s", + "Type": "string" + }, + { + "Name": "data_role_s", + "Type": "string" + }, + { + "Name": "data_scopeLevel_s", + "Type": "string" + }, + { + "Name": "data_scopeName_s", + "Type": "string" + }, + { + "Name": "data_siteName_s", + "Type": "string" + }, + { + "Name": "data_source_s", + "Type": "string" + }, + { + "Name": "data_userScope_s", + "Type": "string" + }, + { + "Name": "data_username_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "primaryDescription_s", + "Type": "string" + }, + { + "Name": "siteId_s", + "Type": "string" + }, + { + "Name": "siteName_s", + "Type": "string" + }, + { + "Name": "updatedAt_t", + "Type": "datetime" + }, + { + "Name": "userId_s", + "Type": "string" + }, + { + "Name": "event_name_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerMemberOf_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserMemberOf_s", + "Type": "string" + }, + { + "Name": "activeThreats_d", + "Type": "real" + }, + { + "Name": "agentVersion_s", + "Type": "string" + }, + { + "Name": "allowRemoteShell_b", + "Type": "bool" + }, + { + "Name": "appsVulnerabilityStatus_s", + "Type": "string" + }, + { + "Name": "computerName_s", + "Type": "string" + }, + { + "Name": "consoleMigrationStatus_s", + "Type": "string" + }, + { + "Name": "coreCount_d", + "Type": "real" + }, + { + "Name": "cpuCount_d", + "Type": "real" + }, + { + "Name": "cpuId_s", + "Type": "string" + }, + { + "Name": "domain_s", + "Type": "string" + }, + { + "Name": "encryptedApplications_b", + "Type": "bool" + }, + { + "Name": "externalId_s", + "Type": "string" + }, + { + "Name": "externalIp_s", + "Type": "string" + }, + { + "Name": "firewallEnabled_b", + "Type": "bool" + }, + { + "Name": "groupId_s", + "Type": "string" + }, + { + "Name": "groupIp_s", + "Type": "string" + }, + { + "Name": "groupName_s", + "Type": "string" + }, + { + "Name": "inRemoteShellSession_b", + "Type": "bool" + }, + { + "Name": "infected_b", + "Type": "bool" + }, + { + "Name": "installerType_s", + "Type": "string" + }, + { + "Name": "isActive_b", + "Type": "bool" + }, + { + "Name": "isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "isPendingUninstall_b", + "Type": "bool" + }, + { + "Name": "isUninstalled_b", + "Type": "bool" + }, + { + "Name": "isUpToDate_b", + "Type": "bool" + }, + { + "Name": "lastActiveDate_t", + "Type": "datetime" + }, + { + "Name": "lastIpToMgmt_s", + "Type": "string" + }, + { + "Name": "lastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "licenseKey_s", + "Type": "string" + }, + { + "Name": "locationEnabled_b", + "Type": "bool" + }, + { + "Name": "locationType_s", + "Type": "string" + }, + { + "Name": "locations_s", + "Type": "string" + }, + { + "Name": "machineType_s", + "Type": "string" + }, + { + "Name": "mitigationMode_s", + "Type": "string" + }, + { + "Name": "mitigationModeSuspicious_s", + "Type": "string" + }, + { + "Name": "modelName_s", + "Type": "string" + }, + { + "Name": "networkInterfaces_s", + "Type": "string" + }, + { + "Name": "networkQuarantineEnabled_b", + "Type": "bool" + }, + { + "Name": "networkStatus_s", + "Type": "string" + }, + { + "Name": "operationalState_s", + "Type": "string" + }, + { + "Name": "osArch_s", + "Type": "string" + }, + { + "Name": "osName_s", + "Type": "string" + }, + { + "Name": "osRevision_s", + "Type": "string" + }, + { + "Name": "osStartTime_t", + "Type": "datetime" + }, + { + "Name": "osType_s", + "Type": "string" + }, + { + "Name": "rangerStatus_s", + "Type": "string" + }, + { + "Name": "rangerVersion_s", + "Type": "string" + }, + { + "Name": "registeredAt_t", + "Type": "datetime" + }, + { + "Name": "remoteProfilingState_s", + "Type": "string" + }, + { + "Name": "scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStatus_s", + "Type": "string" + }, + { + "Name": "threatRebootRequired_b", + "Type": "bool" + }, + { + "Name": "totalMemory_d", + "Type": "real" + }, + { + "Name": "userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "uuid_g", + "Type": "string" + }, + { + "Name": "creator_s", + "Type": "string" + }, + { + "Name": "creatorId_s", + "Type": "string" + }, + { + "Name": "inherits_b", + "Type": "bool" + }, + { + "Name": "isDefault_b", + "Type": "bool" + }, + { + "Name": "name_s", + "Type": "string" + }, + { + "Name": "registrationToken_s", + "Type": "string" + }, + { + "Name": "totalAgents_d", + "Type": "real" + }, + { + "Name": "type_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + }, + { + "Name": "_ItemId", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" + }, + { + "Name": "_ItemId", + "Type": "string" + } +] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json new file mode 100644 index 00000000000..bd794f5763a --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json @@ -0,0 +1,1297 @@ +{ + "Name":"SentinelOneAgents_CL", + "Properties":[ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "accountId_s", + "Type": "string" + }, + { + "Name": "accountName_s", + "Type": "string" + }, + { + "Name": "activityType_d", + "Type": "real" + }, + { + "Name": "createdAt_t", + "Type": "datetime" + }, + { + "Name": "data_accountName_s", + "Type": "string" + }, + { + "Name": "data_fullScopeDetails_s", + "Type": "string" + }, + { + "Name": "data_role_s", + "Type": "string" + }, + { + "Name": "data_scopeLevel_s", + "Type": "string" + }, + { + "Name": "data_scopeName_s", + "Type": "string" + }, + { + "Name": "data_siteName_s", + "Type": "string" + }, + { + "Name": "data_source_s", + "Type": "string" + }, + { + "Name": "data_userScope_s", + "Type": "string" + }, + { + "Name": "data_username_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "primaryDescription_s", + "Type": "string" + }, + { + "Name": "siteId_s", + "Type": "string" + }, + { + "Name": "siteName_s", + "Type": "string" + }, + { + "Name": "updatedAt_t", + "Type": "datetime" + }, + { + "Name": "userId_s", + "Type": "string" + }, + { + "Name": "event_name_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerMemberOf_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserMemberOf_s", + "Type": "string" + }, + { + "Name": "activeThreats_d", + "Type": "real" + }, + { + "Name": "agentVersion_s", + "Type": "string" + }, + { + "Name": "allowRemoteShell_b", + "Type": "bool" + }, + { + "Name": "appsVulnerabilityStatus_s", + "Type": "string" + }, + { + "Name": "computerName_s", + "Type": "string" + }, + { + "Name": "consoleMigrationStatus_s", + "Type": "string" + }, + { + "Name": "coreCount_d", + "Type": "real" + }, + { + "Name": "cpuCount_d", + "Type": "real" + }, + { + "Name": "cpuId_s", + "Type": "string" + }, + { + "Name": "domain_s", + "Type": "string" + }, + { + "Name": "encryptedApplications_b", + "Type": "bool" + }, + { + "Name": "externalId_s", + "Type": "string" + }, + { + "Name": "externalIp_s", + "Type": "string" + }, + { + "Name": "firewallEnabled_b", + "Type": "bool" + }, + { + "Name": "groupId_s", + "Type": "string" + }, + { + "Name": "groupIp_s", + "Type": "string" + }, + { + "Name": "groupName_s", + "Type": "string" + }, + { + "Name": "inRemoteShellSession_b", + "Type": "bool" + }, + { + "Name": "infected_b", + "Type": "bool" + }, + { + "Name": "installerType_s", + "Type": "string" + }, + { + "Name": "isActive_b", + "Type": "bool" + }, + { + "Name": "isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "isPendingUninstall_b", + "Type": "bool" + }, + { + "Name": "isUninstalled_b", + "Type": "bool" + }, + { + "Name": "isUpToDate_b", + "Type": "bool" + }, + { + "Name": "lastActiveDate_t", + "Type": "datetime" + }, + { + "Name": "lastIpToMgmt_s", + "Type": "string" + }, + { + "Name": "lastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "licenseKey_s", + "Type": "string" + }, + { + "Name": "locationEnabled_b", + "Type": "bool" + }, + { + "Name": "locationType_s", + "Type": "string" + }, + { + "Name": "locations_s", + "Type": "string" + }, + { + "Name": "machineType_s", + "Type": "string" + }, + { + "Name": "mitigationMode_s", + "Type": "string" + }, + { + "Name": "mitigationModeSuspicious_s", + "Type": "string" + }, + { + "Name": "modelName_s", + "Type": "string" + }, + { + "Name": "networkInterfaces_s", + "Type": "string" + }, + { + "Name": "networkQuarantineEnabled_b", + "Type": "bool" + }, + { + "Name": "networkStatus_s", + "Type": "string" + }, + { + "Name": "operationalState_s", + "Type": "string" + }, + { + "Name": "osArch_s", + "Type": "string" + }, + { + "Name": "osName_s", + "Type": "string" + }, + { + "Name": "osRevision_s", + "Type": "string" + }, + { + "Name": "osStartTime_t", + "Type": "datetime" + }, + { + "Name": "osType_s", + "Type": "string" + }, + { + "Name": "rangerStatus_s", + "Type": "string" + }, + { + "Name": "rangerVersion_s", + "Type": "string" + }, + { + "Name": "registeredAt_t", + "Type": "datetime" + }, + { + "Name": "remoteProfilingState_s", + "Type": "string" + }, + { + "Name": "scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStatus_s", + "Type": "string" + }, + { + "Name": "threatRebootRequired_b", + "Type": "bool" + }, + { + "Name": "totalMemory_d", + "Type": "real" + }, + { + "Name": "userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "uuid_g", + "Type": "string" + }, + { + "Name": "creator_s", + "Type": "string" + }, + { + "Name": "creatorId_s", + "Type": "string" + }, + { + "Name": "inherits_b", + "Type": "bool" + }, + { + "Name": "isDefault_b", + "Type": "bool" + }, + { + "Name": "name_s", + "Type": "string" + }, + { + "Name": "registrationToken_s", + "Type": "string" + }, + { + "Name": "totalAgents_d", + "Type": "real" + }, + { + "Name": "type_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + }, + { + "Name": "_ItemId", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" + }, + { + "Name": "_ItemId", + "Type": "string" + } +] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json new file mode 100644 index 00000000000..185f36dd112 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json @@ -0,0 +1,1297 @@ +{ + "Name":"SentinelOneAlerts_CL", + "Properties":[ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "accountId_s", + "Type": "string" + }, + { + "Name": "accountName_s", + "Type": "string" + }, + { + "Name": "activityType_d", + "Type": "real" + }, + { + "Name": "createdAt_t", + "Type": "datetime" + }, + { + "Name": "data_accountName_s", + "Type": "string" + }, + { + "Name": "data_fullScopeDetails_s", + "Type": "string" + }, + { + "Name": "data_role_s", + "Type": "string" + }, + { + "Name": "data_scopeLevel_s", + "Type": "string" + }, + { + "Name": "data_scopeName_s", + "Type": "string" + }, + { + "Name": "data_siteName_s", + "Type": "string" + }, + { + "Name": "data_source_s", + "Type": "string" + }, + { + "Name": "data_userScope_s", + "Type": "string" + }, + { + "Name": "data_username_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "primaryDescription_s", + "Type": "string" + }, + { + "Name": "siteId_s", + "Type": "string" + }, + { + "Name": "siteName_s", + "Type": "string" + }, + { + "Name": "updatedAt_t", + "Type": "datetime" + }, + { + "Name": "userId_s", + "Type": "string" + }, + { + "Name": "event_name_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerMemberOf_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserMemberOf_s", + "Type": "string" + }, + { + "Name": "activeThreats_d", + "Type": "real" + }, + { + "Name": "agentVersion_s", + "Type": "string" + }, + { + "Name": "allowRemoteShell_b", + "Type": "bool" + }, + { + "Name": "appsVulnerabilityStatus_s", + "Type": "string" + }, + { + "Name": "computerName_s", + "Type": "string" + }, + { + "Name": "consoleMigrationStatus_s", + "Type": "string" + }, + { + "Name": "coreCount_d", + "Type": "real" + }, + { + "Name": "cpuCount_d", + "Type": "real" + }, + { + "Name": "cpuId_s", + "Type": "string" + }, + { + "Name": "domain_s", + "Type": "string" + }, + { + "Name": "encryptedApplications_b", + "Type": "bool" + }, + { + "Name": "externalId_s", + "Type": "string" + }, + { + "Name": "externalIp_s", + "Type": "string" + }, + { + "Name": "firewallEnabled_b", + "Type": "bool" + }, + { + "Name": "groupId_s", + "Type": "string" + }, + { + "Name": "groupIp_s", + "Type": "string" + }, + { + "Name": "groupName_s", + "Type": "string" + }, + { + "Name": "inRemoteShellSession_b", + "Type": "bool" + }, + { + "Name": "infected_b", + "Type": "bool" + }, + { + "Name": "installerType_s", + "Type": "string" + }, + { + "Name": "isActive_b", + "Type": "bool" + }, + { + "Name": "isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "isPendingUninstall_b", + "Type": "bool" + }, + { + "Name": "isUninstalled_b", + "Type": "bool" + }, + { + "Name": "isUpToDate_b", + "Type": "bool" + }, + { + "Name": "lastActiveDate_t", + "Type": "datetime" + }, + { + "Name": "lastIpToMgmt_s", + "Type": "string" + }, + { + "Name": "lastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "licenseKey_s", + "Type": "string" + }, + { + "Name": "locationEnabled_b", + "Type": "bool" + }, + { + "Name": "locationType_s", + "Type": "string" + }, + { + "Name": "locations_s", + "Type": "string" + }, + { + "Name": "machineType_s", + "Type": "string" + }, + { + "Name": "mitigationMode_s", + "Type": "string" + }, + { + "Name": "mitigationModeSuspicious_s", + "Type": "string" + }, + { + "Name": "modelName_s", + "Type": "string" + }, + { + "Name": "networkInterfaces_s", + "Type": "string" + }, + { + "Name": "networkQuarantineEnabled_b", + "Type": "bool" + }, + { + "Name": "networkStatus_s", + "Type": "string" + }, + { + "Name": "operationalState_s", + "Type": "string" + }, + { + "Name": "osArch_s", + "Type": "string" + }, + { + "Name": "osName_s", + "Type": "string" + }, + { + "Name": "osRevision_s", + "Type": "string" + }, + { + "Name": "osStartTime_t", + "Type": "datetime" + }, + { + "Name": "osType_s", + "Type": "string" + }, + { + "Name": "rangerStatus_s", + "Type": "string" + }, + { + "Name": "rangerVersion_s", + "Type": "string" + }, + { + "Name": "registeredAt_t", + "Type": "datetime" + }, + { + "Name": "remoteProfilingState_s", + "Type": "string" + }, + { + "Name": "scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStatus_s", + "Type": "string" + }, + { + "Name": "threatRebootRequired_b", + "Type": "bool" + }, + { + "Name": "totalMemory_d", + "Type": "real" + }, + { + "Name": "userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "uuid_g", + "Type": "string" + }, + { + "Name": "creator_s", + "Type": "string" + }, + { + "Name": "creatorId_s", + "Type": "string" + }, + { + "Name": "inherits_b", + "Type": "bool" + }, + { + "Name": "isDefault_b", + "Type": "bool" + }, + { + "Name": "name_s", + "Type": "string" + }, + { + "Name": "registrationToken_s", + "Type": "string" + }, + { + "Name": "totalAgents_d", + "Type": "real" + }, + { + "Name": "type_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + }, + { + "Name": "_ItemId", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" + }, + { + "Name": "_ItemId", + "Type": "string" + } +] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json new file mode 100644 index 00000000000..6f894524b61 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json @@ -0,0 +1,1297 @@ +{ + "Name":"SentinelOneGroups_CL", + "Properties":[ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "accountId_s", + "Type": "string" + }, + { + "Name": "accountName_s", + "Type": "string" + }, + { + "Name": "activityType_d", + "Type": "real" + }, + { + "Name": "createdAt_t", + "Type": "datetime" + }, + { + "Name": "data_accountName_s", + "Type": "string" + }, + { + "Name": "data_fullScopeDetails_s", + "Type": "string" + }, + { + "Name": "data_role_s", + "Type": "string" + }, + { + "Name": "data_scopeLevel_s", + "Type": "string" + }, + { + "Name": "data_scopeName_s", + "Type": "string" + }, + { + "Name": "data_siteName_s", + "Type": "string" + }, + { + "Name": "data_source_s", + "Type": "string" + }, + { + "Name": "data_userScope_s", + "Type": "string" + }, + { + "Name": "data_username_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "primaryDescription_s", + "Type": "string" + }, + { + "Name": "siteId_s", + "Type": "string" + }, + { + "Name": "siteName_s", + "Type": "string" + }, + { + "Name": "updatedAt_t", + "Type": "datetime" + }, + { + "Name": "userId_s", + "Type": "string" + }, + { + "Name": "event_name_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerMemberOf_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserMemberOf_s", + "Type": "string" + }, + { + "Name": "activeThreats_d", + "Type": "real" + }, + { + "Name": "agentVersion_s", + "Type": "string" + }, + { + "Name": "allowRemoteShell_b", + "Type": "bool" + }, + { + "Name": "appsVulnerabilityStatus_s", + "Type": "string" + }, + { + "Name": "computerName_s", + "Type": "string" + }, + { + "Name": "consoleMigrationStatus_s", + "Type": "string" + }, + { + "Name": "coreCount_d", + "Type": "real" + }, + { + "Name": "cpuCount_d", + "Type": "real" + }, + { + "Name": "cpuId_s", + "Type": "string" + }, + { + "Name": "domain_s", + "Type": "string" + }, + { + "Name": "encryptedApplications_b", + "Type": "bool" + }, + { + "Name": "externalId_s", + "Type": "string" + }, + { + "Name": "externalIp_s", + "Type": "string" + }, + { + "Name": "firewallEnabled_b", + "Type": "bool" + }, + { + "Name": "groupId_s", + "Type": "string" + }, + { + "Name": "groupIp_s", + "Type": "string" + }, + { + "Name": "groupName_s", + "Type": "string" + }, + { + "Name": "inRemoteShellSession_b", + "Type": "bool" + }, + { + "Name": "infected_b", + "Type": "bool" + }, + { + "Name": "installerType_s", + "Type": "string" + }, + { + "Name": "isActive_b", + "Type": "bool" + }, + { + "Name": "isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "isPendingUninstall_b", + "Type": "bool" + }, + { + "Name": "isUninstalled_b", + "Type": "bool" + }, + { + "Name": "isUpToDate_b", + "Type": "bool" + }, + { + "Name": "lastActiveDate_t", + "Type": "datetime" + }, + { + "Name": "lastIpToMgmt_s", + "Type": "string" + }, + { + "Name": "lastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "licenseKey_s", + "Type": "string" + }, + { + "Name": "locationEnabled_b", + "Type": "bool" + }, + { + "Name": "locationType_s", + "Type": "string" + }, + { + "Name": "locations_s", + "Type": "string" + }, + { + "Name": "machineType_s", + "Type": "string" + }, + { + "Name": "mitigationMode_s", + "Type": "string" + }, + { + "Name": "mitigationModeSuspicious_s", + "Type": "string" + }, + { + "Name": "modelName_s", + "Type": "string" + }, + { + "Name": "networkInterfaces_s", + "Type": "string" + }, + { + "Name": "networkQuarantineEnabled_b", + "Type": "bool" + }, + { + "Name": "networkStatus_s", + "Type": "string" + }, + { + "Name": "operationalState_s", + "Type": "string" + }, + { + "Name": "osArch_s", + "Type": "string" + }, + { + "Name": "osName_s", + "Type": "string" + }, + { + "Name": "osRevision_s", + "Type": "string" + }, + { + "Name": "osStartTime_t", + "Type": "datetime" + }, + { + "Name": "osType_s", + "Type": "string" + }, + { + "Name": "rangerStatus_s", + "Type": "string" + }, + { + "Name": "rangerVersion_s", + "Type": "string" + }, + { + "Name": "registeredAt_t", + "Type": "datetime" + }, + { + "Name": "remoteProfilingState_s", + "Type": "string" + }, + { + "Name": "scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStatus_s", + "Type": "string" + }, + { + "Name": "threatRebootRequired_b", + "Type": "bool" + }, + { + "Name": "totalMemory_d", + "Type": "real" + }, + { + "Name": "userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "uuid_g", + "Type": "string" + }, + { + "Name": "creator_s", + "Type": "string" + }, + { + "Name": "creatorId_s", + "Type": "string" + }, + { + "Name": "inherits_b", + "Type": "bool" + }, + { + "Name": "isDefault_b", + "Type": "bool" + }, + { + "Name": "name_s", + "Type": "string" + }, + { + "Name": "registrationToken_s", + "Type": "string" + }, + { + "Name": "totalAgents_d", + "Type": "real" + }, + { + "Name": "type_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + }, + { + "Name": "_ItemId", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" + }, + { + "Name": "_ItemId", + "Type": "string" + } +] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json new file mode 100644 index 00000000000..5cef98e2ffc --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json @@ -0,0 +1,1297 @@ +{ + "Name":"SentinelOneThreats_CL", + "Properties":[ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "accountId_s", + "Type": "string" + }, + { + "Name": "accountName_s", + "Type": "string" + }, + { + "Name": "activityType_d", + "Type": "real" + }, + { + "Name": "createdAt_t", + "Type": "datetime" + }, + { + "Name": "data_accountName_s", + "Type": "string" + }, + { + "Name": "data_fullScopeDetails_s", + "Type": "string" + }, + { + "Name": "data_role_s", + "Type": "string" + }, + { + "Name": "data_scopeLevel_s", + "Type": "string" + }, + { + "Name": "data_scopeName_s", + "Type": "string" + }, + { + "Name": "data_siteName_s", + "Type": "string" + }, + { + "Name": "data_source_s", + "Type": "string" + }, + { + "Name": "data_userScope_s", + "Type": "string" + }, + { + "Name": "data_username_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "primaryDescription_s", + "Type": "string" + }, + { + "Name": "siteId_s", + "Type": "string" + }, + { + "Name": "siteName_s", + "Type": "string" + }, + { + "Name": "updatedAt_t", + "Type": "datetime" + }, + { + "Name": "userId_s", + "Type": "string" + }, + { + "Name": "event_name_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_computerMemberOf_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserDistinguishedName_s", + "Type": "string" + }, + { + "Name": "activeDirectory_lastUserMemberOf_s", + "Type": "string" + }, + { + "Name": "activeThreats_d", + "Type": "real" + }, + { + "Name": "agentVersion_s", + "Type": "string" + }, + { + "Name": "allowRemoteShell_b", + "Type": "bool" + }, + { + "Name": "appsVulnerabilityStatus_s", + "Type": "string" + }, + { + "Name": "computerName_s", + "Type": "string" + }, + { + "Name": "consoleMigrationStatus_s", + "Type": "string" + }, + { + "Name": "coreCount_d", + "Type": "real" + }, + { + "Name": "cpuCount_d", + "Type": "real" + }, + { + "Name": "cpuId_s", + "Type": "string" + }, + { + "Name": "domain_s", + "Type": "string" + }, + { + "Name": "encryptedApplications_b", + "Type": "bool" + }, + { + "Name": "externalId_s", + "Type": "string" + }, + { + "Name": "externalIp_s", + "Type": "string" + }, + { + "Name": "firewallEnabled_b", + "Type": "bool" + }, + { + "Name": "groupId_s", + "Type": "string" + }, + { + "Name": "groupIp_s", + "Type": "string" + }, + { + "Name": "groupName_s", + "Type": "string" + }, + { + "Name": "inRemoteShellSession_b", + "Type": "bool" + }, + { + "Name": "infected_b", + "Type": "bool" + }, + { + "Name": "installerType_s", + "Type": "string" + }, + { + "Name": "isActive_b", + "Type": "bool" + }, + { + "Name": "isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "isPendingUninstall_b", + "Type": "bool" + }, + { + "Name": "isUninstalled_b", + "Type": "bool" + }, + { + "Name": "isUpToDate_b", + "Type": "bool" + }, + { + "Name": "lastActiveDate_t", + "Type": "datetime" + }, + { + "Name": "lastIpToMgmt_s", + "Type": "string" + }, + { + "Name": "lastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "licenseKey_s", + "Type": "string" + }, + { + "Name": "locationEnabled_b", + "Type": "bool" + }, + { + "Name": "locationType_s", + "Type": "string" + }, + { + "Name": "locations_s", + "Type": "string" + }, + { + "Name": "machineType_s", + "Type": "string" + }, + { + "Name": "mitigationMode_s", + "Type": "string" + }, + { + "Name": "mitigationModeSuspicious_s", + "Type": "string" + }, + { + "Name": "modelName_s", + "Type": "string" + }, + { + "Name": "networkInterfaces_s", + "Type": "string" + }, + { + "Name": "networkQuarantineEnabled_b", + "Type": "bool" + }, + { + "Name": "networkStatus_s", + "Type": "string" + }, + { + "Name": "operationalState_s", + "Type": "string" + }, + { + "Name": "osArch_s", + "Type": "string" + }, + { + "Name": "osName_s", + "Type": "string" + }, + { + "Name": "osRevision_s", + "Type": "string" + }, + { + "Name": "osStartTime_t", + "Type": "datetime" + }, + { + "Name": "osType_s", + "Type": "string" + }, + { + "Name": "rangerStatus_s", + "Type": "string" + }, + { + "Name": "rangerVersion_s", + "Type": "string" + }, + { + "Name": "registeredAt_t", + "Type": "datetime" + }, + { + "Name": "remoteProfilingState_s", + "Type": "string" + }, + { + "Name": "scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "scanStatus_s", + "Type": "string" + }, + { + "Name": "threatRebootRequired_b", + "Type": "bool" + }, + { + "Name": "totalMemory_d", + "Type": "real" + }, + { + "Name": "userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "uuid_g", + "Type": "string" + }, + { + "Name": "creator_s", + "Type": "string" + }, + { + "Name": "creatorId_s", + "Type": "string" + }, + { + "Name": "inherits_b", + "Type": "bool" + }, + { + "Name": "isDefault_b", + "Type": "bool" + }, + { + "Name": "name_s", + "Type": "string" + }, + { + "Name": "registrationToken_s", + "Type": "string" + }, + { + "Name": "totalAgents_d", + "Type": "real" + }, + { + "Name": "type_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + }, + { + "Name": "_ItemId", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorDescription_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileOldPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_indicatorCategory_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_g", + "Type": "string" + }, + { + "Name": "alertInfo_dstIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_dstPort_s", + "Type": "string" + }, + { + "Name": "alertInfo_netEventDirection_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcIp_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcPort_s", + "Type": "string" + }, + { + "Name": "containerInfo_id_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_g", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryOldValueType_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsRequest_s", + "Type": "string" + }, + { + "Name": "alertInfo_dnsResponse_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryKeyPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryPath_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_g", + "Type": "string" + }, + { + "Name": "ruleInfo_description_s", + "Type": "string" + }, + { + "Name": "alertInfo_registryValue_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountDomain_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginAccountSid_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsAdministratorEquivalent_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginIsSuccessful_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginType_s", + "Type": "string" + }, + { + "Name": "alertInfo_loginsUserName_s", + "Type": "string" + }, + { + "Name": "alertInfo_srcMachineIp_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcCmdLine_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcImagePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcName_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcPid_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcSignedStatus_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_storyline_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcStorylineId_g", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcUid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_name_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osFamily_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_osRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_uuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_version_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_id_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_infected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_isDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_machineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_name_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_os_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_uuid_g", + "Type": "string" + }, + { + "Name": "alertInfo_alertId_s", + "Type": "string" + }, + { + "Name": "alertInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "alertInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_dvEventId_s", + "Type": "string" + }, + { + "Name": "alertInfo_eventType_s", + "Type": "string" + }, + { + "Name": "alertInfo_hitType_s", + "Type": "string" + }, + { + "Name": "alertInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "alertInfo_isEdr_b", + "Type": "bool" + }, + { + "Name": "alertInfo_reportedAt_t", + "Type": "datetime" + }, + { + "Name": "alertInfo_source_s", + "Type": "string" + }, + { + "Name": "alertInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "ruleInfo_id_s", + "Type": "string" + }, + { + "Name": "ruleInfo_name_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryLang_s", + "Type": "string" + }, + { + "Name": "ruleInfo_queryType_s", + "Type": "string" + }, + { + "Name": "ruleInfo_s1ql_s", + "Type": "string" + }, + { + "Name": "ruleInfo_scopeLevel_s", + "Type": "string" + }, + { + "Name": "ruleInfo_severity_s", + "Type": "string" + }, + { + "Name": "ruleInfo_treatAsThreat_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceParentProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceParentProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_commandline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashMd5_g", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha1_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileHashSha256_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_filePath_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_fileSignerIdentity_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_integrityLevel_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_name_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pid_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_pidStarttime_t", + "Type": "datetime" + }, + { + "Name": "sourceProcessInfo_storyline_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_subsystem_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_uniqueId_s", + "Type": "string" + }, + { + "Name": "sourceProcessInfo_user_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileCreatedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha1_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileHashSha256_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileId_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileIsSigned_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtFileModifiedAt_t", + "Type": "datetime" + }, + { + "Name": "targetProcessInfo_tgtFilePath_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "targetProcessInfo_tgtProcessStartTime_t", + "Type": "datetime" + }, + { + "Name": "agentUpdatedVersion_s", + "Type": "string" + }, + { + "Name": "agentId_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "osFamily_s", + "Type": "string" + }, + { + "Name": "threatId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDetectionState_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV4_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentIpV6_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentRegisteredAt_t", + "Type": "datetime" + }, + { + "Name": "agentDetectionInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_externalIp_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentDetectionInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_accountName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_activeThreats_d", + "Type": "real" + }, + { + "Name": "agentRealtimeInfo_agentComputerName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentDomain_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentInfected_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsActive_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentIsDecommissioned_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_agentMachineType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentMitigationMode_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentNetworkStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsRevision_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentOsType_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentUuid_g", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_agentVersion_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_groupName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_networkInterfaces_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_operationalState_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "agentRealtimeInfo_scanFinishedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStartedAt_t", + "Type": "datetime" + }, + { + "Name": "agentRealtimeInfo_scanStatus_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteId_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_siteName_s", + "Type": "string" + }, + { + "Name": "agentRealtimeInfo_userActionsNeeded_s", + "Type": "string" + }, + { + "Name": "indicators_s", + "Type": "string" + }, + { + "Name": "mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_analystVerdictDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_automaticallyResolved_b", + "Type": "bool" + }, + { + "Name": "threatInfo_certificateId_s", + "Type": "string" + }, + { + "Name": "threatInfo_classification_s", + "Type": "string" + }, + { + "Name": "threatInfo_classificationSource_s", + "Type": "string" + }, + { + "Name": "threatInfo_cloudFilesHashVerdict_s", + "Type": "string" + }, + { + "Name": "threatInfo_collectionId_s", + "Type": "string" + }, + { + "Name": "threatInfo_confidenceLevel_s", + "Type": "string" + }, + { + "Name": "threatInfo_createdAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_detectionEngines_s", + "Type": "string" + }, + { + "Name": "threatInfo_detectionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_engines_s", + "Type": "string" + }, + { + "Name": "threatInfo_externalTicketExists_b", + "Type": "bool" + }, + { + "Name": "threatInfo_failedActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_fileExtension_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtensionType_s", + "Type": "string" + }, + { + "Name": "threatInfo_filePath_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileSize_d", + "Type": "real" + }, + { + "Name": "threatInfo_fileVerificationType_s", + "Type": "string" + }, + { + "Name": "threatInfo_identifiedAt_t", + "Type": "datetime" + }, + { + "Name": "threatInfo_incidentStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_incidentStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedBy_s", + "Type": "string" + }, + { + "Name": "threatInfo_initiatedByDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_isFileless_b", + "Type": "bool" + }, + { + "Name": "threatInfo_isValidCertificate_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigatedPreemptively_b", + "Type": "bool" + }, + { + "Name": "threatInfo_mitigationStatus_s", + "Type": "string" + }, + { + "Name": "threatInfo_mitigationStatusDescription_s", + "Type": "string" + }, + { + "Name": "threatInfo_originatorProcess_s", + "Type": "string" + }, + { + "Name": "threatInfo_pendingActions_b", + "Type": "bool" + }, + { + "Name": "threatInfo_processUser_s", + "Type": "string" + }, + { + "Name": "threatInfo_publisherName_s", + "Type": "string" + }, + { + "Name": "threatInfo_reachedEventsLimit_b", + "Type": "bool" + }, + { + "Name": "threatInfo_rebootRequired_b", + "Type": "bool" + }, + { + "Name": "threatInfo_sha1_s", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatId_s", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_s", + "Type": "string" + }, + { + "Name": "threatInfo_updatedAt_t", + "Type": "datetime" + }, + { + "Name": "whiteningOptions_s", + "Type": "string" + }, + { + "Name": "threatInfo_maliciousProcessArguments_s", + "Type": "string" + }, + { + "Name": "threatInfo_fileExtension_g", + "Type": "string" + }, + { + "Name": "threatInfo_threatName_g", + "Type": "string" + }, + { + "Name": "threatInfo_storyline_g", + "Type": "string" + }, + { + "Name": "activityUuid_g", + "Type": "string" + }, + { + "Name": "secondaryDescription_s", + "Type": "string" + }, + { + "Name": "DataFields_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "comments_s", + "Type": "string" + }, + { + "Name": "detectionState_s", + "Type": "string" + }, + { + "Name": "firstFullModeTime_t", + "Type": "datetime" + }, + { + "Name": "fullDiskScanLastUpdatedAt_t", + "Type": "datetime" + }, + { + "Name": "serialNumber_s", + "Type": "string" + }, + { + "Name": "showAlertIcon_b", + "Type": "bool" + }, + { + "Name": "tags_sentinelone_s", + "Type": "string" + }, + { + "Name": "osUsername_s", + "Type": "string" + }, + { + "Name": "scanAbortedAt_t", + "Type": "datetime" + }, + { + "Name": "_ItemId", + "Type": "string" + } +] +} \ No newline at end of file From 76c86e5f232d7336734456d978d03c86a9795172 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Wed, 4 Dec 2024 11:21:44 +0200 Subject: [PATCH 03/22] fixing issues with testing --- Solutions/SentinelOne/Parsers/newParser.txt | 633 -------------------- 1 file changed, 633 deletions(-) delete mode 100644 Solutions/SentinelOne/Parsers/newParser.txt diff --git a/Solutions/SentinelOne/Parsers/newParser.txt b/Solutions/SentinelOne/Parsers/newParser.txt deleted file mode 100644 index 3562373bb25..00000000000 --- a/Solutions/SentinelOne/Parsers/newParser.txt +++ /dev/null @@ -1,633 +0,0 @@ -let SentinelOne_view = view () { -let SentinelOneV2_Empty = datatable( - AccountId:string, - AccountName:string, - ActivityType:real , - EventCreationTime:datetime, - DataAccountName:string, - DataFullScopeDetails:string, - DataScopeLevel:string, - DataScopeName:string, - DataSiteId:int, - SecondaryDescription:string , - DataSiteName:string, - SourceProcessInfo:string, - SrcUserName:string, - EventId:string, - EventOriginalMessage:string, - SiteId:string, - SiteName:string, - UpdatedAt:datetime , - UserIdentity:string, - EventType:string, - DataByUser:string, - DataRole:string, - DataUserScope:string, - EventTypeDetailed:string, - DataSource:string, - DataExpiryDateStr:string, - DataExpiryTime:int, - DataNetworkquarantine:bool, - DataRuleCreationTime:int, - DataRuleDescription:string, - DataRuleExpirationMode:string, - DataRuleId:int, - DataRuleName:string, - DataRuleQueryDetails:string, - DataRuleQueryType:string, - DataRuleSeverity:string, - DataScopeId:int, - DataStatus:string, - DataSystemUser:int, - DataTreatasthreat:string, - DataUserId:int, - RuleInfo:string, - AgentDetectionInfo:string , - DataUserName:string, - EventSubStatus:string, - AgentId:string, - DataComputerName:string, - DataExternalIp:string, - DataGroupName:string, - DataSystem:bool, - DataUuid:string, - GroupId:string, - GroupName:string, - DataGroup:string, - UserId:string , - DataOptionalGroups:string, - DataCreatedAt:string, - DataDownloadUrl:string, - DataFilePath:string, - DataFilename:string, - DataUploadedFilename:string, - Comments:string, - DataNewValue:string, - DataPolicyId:string, - DataPolicyName:string, - DataNewValueb:string, - DataShouldReboot:bool, - DataRoleName:string, - DataScopeLevelName:string, - ActiveDirectoryComputerDistinguishedName:string, - ActiveDirectoryComputerMemberOf:string, - ActiveDirectoryLastUserDistinguishedName:string, - ActiveDirectoryLastUserMemberOf:string, - ActiveThreats:int, - AgentVersion:string, - AllowRemoteShell:bool, - AppsVulnerabilityStatus:string, - ComputerName:string, - ConsoleMigrationStatus:string, - CoreCount:int, - CpuCount:int, - CpuId:string, - SrcDvcDomain:string, - EncryptedApplications:bool, - ExternalId:string, - ExternalIp:string, - FirewallEnabled:bool, - GroupIp:string, - InRemoteShellSession:bool, - Infected:bool, - InstallerType:string, - IsActive:bool, - IsDecommissioned:bool, - IsPendingUninstall:bool, - IsUninstalled:bool, - IsUpToDate:bool, - LastActiveDate:string, - TargetProcessInfo:string , - LastIpToMgmt:string, - LastLoggedInUserName:string, - LicenseKey:string, - LocationEnabled:bool, - LocationType:string, - Locations:string, - MachineType:string, - MitigationMode:string, - MitigationModeSuspicious:string, - SrcDvcModelName:string, - NetworkInterfaces:string, - NetworkQuarantineEnabled:bool, - NetworkStatus:string, - OperationalState:string, - OsArch:string, - SrcDvcOs:string, - OsRevision:string, - OsStartTime:datetime , - OsType:string, - RangerStatus:string, - RangerVersion:string, - RegisteredAt:string, - RemoteProfilingState:string, - ScanFinishedAt:string, - ScanStartedAt:string, - ScanStatus:string, - ThreatRebootRequired:bool, - TotalMemory:int, - SourceParentProcessInfo:string , - UserActionsNeeded:string, - Uuid:string, - Creator:string, - ContainerInfo:string, - CreatorId:string, - Inherits:string , - IsDefault:string , - Name:string, - RegistrationToken:string, - AlertInfo:string, - PrimaryDescription:string , - TotalAgents:real , - CreatedAt:datetime , - Id:string, - Type:string - )[]; -let SentinelOneV1_Empty = datatable ( - accountId_s:string, - accountName_s:string, - activityType_d:real, - createdAt_t:datetime , - data_accountName_s:string, - data_fullScopeDetails_s:string, - data_scopeLevel_s:string, - data_scopeName_s:string, - data_siteId_d:int, - data_siteName_s:string, - data_username_s:string, - id_s:string, - primaryDescription_s:string, - siteId_s:string, - siteName_s:string, - updatedAt_t:datetime , - userId_s:string, - event_name_s:string, - data_byUser_s:string, - data_role_s:string, - data_userScope_s:string, - description_s:string, - data_source_s:string, - data_expiryDateStr_s:string, - data_expiryTime_d:int, - data_networkquarantine_b:bool, - data_ruleCreationTime_d:int, - data_ruleDescription_s:string, - data_ruleExpirationMode_s:string, - data_ruleId_d:int, - data_ruleName_s:string, - data_ruleQueryDetails_s:string, - data_ruleQueryType_s:string, - data_ruleSeverity_s:string, - data_scopeId_d:int, - data_status_s:string, - data_systemUser_d:int, - data_treatasthreat_s:string, - data_userId_d:int, - data_userName_s:string, - secondaryDescription_s:string, - agentId_s:string, - data_computerName_s:string, - data_externalIp_s:string, - data_groupName_s:string, - data_system_b:bool, - data_uuid_g:string, - groupId_s:string, - groupName_s:string, - data_group_s:string, - data_optionalGroups_s:string, - data_createdAt_t:string, - data_downloadUrl_s:string, - data_filePath_s:string, - data_filename_s:string, - data_uploadedFilename_s:string, - comments_s:string, - data_newValue_s:string, - data_policy_id_s:string, - data_policyName_s:string, - data_newValue_b:bool, - data_shouldReboot_b:bool, - data_roleName_s:string, - data_scopeLevelName_s:string, - activeDirectory_computerDistinguishedName_s:string, - activeDirectory_computerMemberOf_s:string, - activeDirectory_lastUserDistinguishedName_s:string, - activeDirectory_lastUserMemberOf_s:string, - activeThreats_d:real, - agentVersion_s:string, - allowRemoteShell_b:bool, - appsVulnerabilityStatus_s:string, - computerName_s:string, - consoleMigrationStatus_s:string, - coreCount_d:real, - cpuCount_d:real , - cpuId_s:string, - domain_s:string, - encryptedApplications_b:bool, - externalId_s:string, - externalIp_s:string, - firewallEnabled_b:bool, - groupIp_s:string, - inRemoteShellSession_b:bool, - infected_b:bool, - installerType_s:string, - isActive_b:bool, - isDecommissioned_b:bool, - isPendingUninstall_b:bool, - isUninstalled_b:bool, - isUpToDate_b:bool, - lastActiveDate_t:string, - lastIpToMgmt_s:string, - lastLoggedInUserName_s:string, - licenseKey_s:string, - locationEnabled_b:bool, - locationType_s:string, - locations_s:string, - machineType_s:string, - mitigationMode_s:string, - mitigationModeSuspicious_s:string, - modelName_s:string, - networkInterfaces_s:string, - networkQuarantineEnabled_b:bool, - networkStatus_s:string, - operationalState_s:string, - osArch_s:string, - osName_s:string, - osRevision_s:string, - osStartTime_t:datetime , - osType_s:string, - rangerStatus_s:string, - rangerVersion_s:string, - registeredAt_t:string, - remoteProfilingState_s:string, - scanFinishedAt_t:string, - scanStartedAt_t:string, - scanStatus_s:string, - threatRebootRequired_b:bool, - totalMemory_d:real , - userActionsNeeded_s:string, - uuid_g:string, - creator_s:string, - creatorId_s:string, - inherits_b:string , - isDefault_b:string , - name_s:string, - registrationToken_s:string, - totalAgents_d:real , - type_s:string - )[]; - let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty - | extend - EventVendor="SentinelOne", - EventProduct="SentinelOne", - AccountId=column_ifexists('accountId_s', ''), - AccountName=column_ifexists('accountName_s', ''), - ActivityType=toreal(column_ifexists('activityType_d', '')), - EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')), - DataAccountName=column_ifexists('data_accountName_s', ''), - DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''), - DataScopeLevel=column_ifexists('data_scopeLevel_s', ''), - DataScopeName=column_ifexists('data_scopeName_s', ''), - DataSiteId=column_ifexists('data_siteId_d', ''), - DataSiteName=column_ifexists('data_siteName_s', ''), - SrcUserName=column_ifexists('data_username_s', ''), - EventId=column_ifexists('id_s', ''), - EventOriginalMessage=column_ifexists('primaryDescription_s', ''), - PrimaryDescription=column_ifexists('primaryDescription_s', ''), - SiteId=column_ifexists('siteId_s', ''), - SiteName=column_ifexists('siteName_s', ''), - UpdatedAt=column_ifexists('updatedAt_t', ''), - UserIdentity=column_ifexists('userId_s', ''), - UserId=column_ifexists('userId_s', ''), - EventType=column_ifexists('event_name_s', ''), - DataByUser=column_ifexists('data_byUser_s', ''), - DataRole=column_ifexists('data_role_s', ''), - DataUserScope=column_ifexists('data_userScope_s', ''), - EventTypeDetailed=column_ifexists('description_s', ''), - DataSource=column_ifexists('data_source_s', ''), - DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), - DataExpiryTime=column_ifexists('data_expiryTime_d', ''), - DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), - DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), - DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), - DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), - DataRuleId=column_ifexists('data_ruleId_d', ''), - DataRuleName=column_ifexists('data_ruleName_s', ''), - DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''), - DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''), - DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''), - DataScopeId=column_ifexists('data_scopeId_d', ''), - Id=column_ifexists('id_s', ''), - DataStatus=column_ifexists('data_status_s', ''), - DataSystemUser=column_ifexists('data_systemUser_d', ''), - DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''), - DataUserId=column_ifexists('data_userId_d', ''), - DataUserName=column_ifexists('data_userName_s', ''), - EventSubStatus=column_ifexists('secondaryDescription_s', ''), - SecondaryDescription=column_ifexists('secondaryDescription_s', ''), - AgentId=column_ifexists('agentId_s', ''), - DataComputerName=column_ifexists('data_computerName_s', ''), - DataExternalIp=column_ifexists('data_externalIp_s', ''), - DataGroupName=column_ifexists('data_groupName_s', ''), - DataSystem=column_ifexists('data_system_b', ''), - DataUuid=column_ifexists('data_uuid_g', ''), - GroupId=column_ifexists('groupId_s', ''), - GroupName=column_ifexists('groupName_s', ''), - DataGroup=column_ifexists('data_group_s', ''), - DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''), - DataCreatedAt=column_ifexists('data_createdAt_t', ''), - DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''), - DataFilePath=column_ifexists('data_filePath_s', ''), - DataFilename=column_ifexists('data_filename_s', ''), - DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''), - Comments=column_ifexists('comments_s', ''), - DataNewValue=column_ifexists('data_newValue_s', ''), - DataPolicyId=column_ifexists('data_policy_id_s', ''), - DataPolicyName=column_ifexists('data_policyName_s', ''), - DataNewValueb=column_ifexists('data_newValue_b', ''), - DataShouldReboot=column_ifexists('data_shouldReboot_b', ''), - DataRoleName=column_ifexists('data_roleName_s', ''), - DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''), - ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''), - ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''), - ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''), - ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''), - ActiveThreats=column_ifexists('activeThreats_d', ''), - AgentVersion=column_ifexists('agentVersion_s', ''), - AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''), - AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''), - ComputerName=column_ifexists('computerName_s', ''), - ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''), - CoreCount=column_ifexists('coreCount_d', ''), - CpuCount=column_ifexists('cpuCount_d', ''), - CpuId=column_ifexists('cpuId_s', ''), - SrcDvcDomain=column_ifexists('domain_s', ''), - EncryptedApplications=column_ifexists('encryptedApplications_b', ''), - ExternalId=column_ifexists('externalId_s', ''), - ExternalIp=column_ifexists('externalIp_s', ''), - FirewallEnabled=column_ifexists('firewallEnabled_b', ''), - GroupIp=column_ifexists('groupIp_s', ''), - InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''), - Infected=column_ifexists('infected_b', ''), - InstallerType=column_ifexists('installerType_s', ''), - IsActive=column_ifexists('isActive_b', ''), - IsDecommissioned=column_ifexists('isDecommissioned_b', ''), - IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''), - IsUninstalled=column_ifexists('isUninstalled_b', ''), - IsUpToDate=column_ifexists('isUpToDate_b', ''), - LastActiveDate=column_ifexists('lastActiveDate_t', ''), - LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''), - LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''), - LicenseKey=column_ifexists('licenseKey_s', ''), - LocationEnabled=column_ifexists('locationEnabled_b', ''), - LocationType=column_ifexists('locationType_s', ''), - Locations=column_ifexists('locations_s', ''), - MachineType=column_ifexists('machineType_s', ''), - MitigationMode=column_ifexists('mitigationMode_s', ''), - MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), - SrcDvcModelName=column_ifexists('modelName_s', ''), - NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), - NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), - NetworkStatus=column_ifexists('networkStatus_s', ''), - OperationalState=column_ifexists('operationalState_s', ''), - OsArch=column_ifexists('osArch_s', ''), - SrcDvcOs=column_ifexists('osName_s', ''), - OsRevision=column_ifexists('osRevision_s', ''), - OsStartTime=column_ifexists('osStartTime_t', ''), - OsType=column_ifexists('osType_s', ''), - RangerStatus=column_ifexists('rangerStatus_s', ''), - RangerVersion=column_ifexists('rangerVersion_s', ''), - RegisteredAt=column_ifexists('registeredAt_t', ''), - RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''), - ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''), - ScanStartedAt=column_ifexists('scanStartedAt_t', ''), - ScanStatus=column_ifexists('scanStatus_s', ''), - ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''), - TotalMemory=column_ifexists('totalMemory_d', ''), - UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''), - Uuid=column_ifexists('uuid_g', ''), - Creator=column_ifexists('creator_s', ''), - CreatedAt=column_ifexists('createdAt_t',''), - CreatorId=column_ifexists('creatorId_s', ''), - Inherits=column_ifexists('inherits_b', ''), - IsDefault=column_ifexists('isDefault_b', ''), - Name=column_ifexists('name_s', ''), - RegistrationToken=column_ifexists('registrationToken_s', ''), - TotalAgents=column_ifexists('totalAgents_d', ''), - Type=column_ifexists('type_s', ''); - union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union - | extend - ActivityType, - EventVendor="SentinelOne", - EventProduct="SentinelOne", - DataAccountName=tostring(parse_json(todynamic(Data)).accountName), - DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails), - DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel), - DataScopeName=tostring(parse_json(todynamic(Data)).scopeName), - DataSiteId=tostring(parse_json(todynamic(Data)).siteId), - DataSiteName=tostring(parse_json(todynamic(Data)).siteName), - SrcUserName=tostring(parse_json(todynamic(Data)).userName), - EventId=Id, - SourceParentProcessInfo, - EventOriginalMessage=PrimaryDescription, - UserIdentity=UserId, - EventTypeDetailed=Description, - DataRuleId=tostring(parse_json(todynamic(Data)).ruleId), - DataRuleName=tostring(parse_json(todynamic(Data)).rulename), - DataScopeId=tostring(parse_json(todynamic(Data)).scopeId), - DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser), - DataUserId=tostring(parse_json(todynamic(Data)).userId), - DataUserName=tostring(parse_json(todynamic(Data)).userName), - EventSubStatus=SecondaryDescription, - DataComputerName=tostring(parse_json(todynamic(Data)).computerName), - DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp), - DataGroupName=tostring(parse_json(todynamic(Data)).groupName), - DataStatus=tostring(parse_json(todynamic(Data)).status), - DataByUser=tostring(parse_json(todynamic(Data)).byUser), - DataRole=tostring(parse_json(todynamic(Data)).role), - DataUserScope=tostring(parse_json(todynamic(Data)).userScope), - DataSource=tostring(parse_json(todynamic(Data)).source), - DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), - DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), - DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine), - DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), - DataUuid=Uuid, - DataGroup=tostring(parse_json(todynamic(Data)).group), - DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription), - EventType=tostring(parse_json(todynamic(AlertInfo)).eventType), - DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode), - DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails), - DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType), - DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity), - DataSystem=tostring(parse_json(todynamic(Data)).system), - DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups), - DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt), - DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl), - DataFilePath=tostring(parse_json(todynamic(Data)).filePath), - DataFilename=tostring(parse_json(todynamic(Data)).filename), - DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename), - DataNewValue=tostring(parse_json(todynamic(Data)).newValue), - DataPolicyId=tostring(parse_json(todynamic(Data)).policyId), - DataPolicyName=tostring(parse_json(todynamic(Data)).policyName), - DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot), - DataRoleName=tostring(parse_json(todynamic(Data)).roleName), - DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName), - ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName), - ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf), - ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), - ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), - SrcDvcDomain=Domain, - AlertInfo, - FirewallEnabled=column_ifexists('FirewallEnabled',''), - LocationEnabled=column_ifexists('LocationEnabled',''), - SrcDvcModelName=ModelName, - NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''), - SrcDvcOs=OsName, - SourceProcessInfo, - RuleInfo, - TargetProcessInfo, - ContainerInfo, - AgentDetectionInfo, - EventCreationTime=CreatedAt, - RemoteProfilingState=column_ifexists('RemoteProfilingState','') - | project - TimeGenerated, - AgentDetectionInfo, - EventVendor, - EventProduct, - AccountName, - SourceParentProcessInfo, - TargetProcessInfo, - ActivityType, - EventCreationTime, - DataAccountName, - DataFullScopeDetails, - DataScopeLevel, - DataScopeName, - DataSiteId, - SourceProcessInfo, - DataSiteName, - SrcUserName, - EventId, - EventOriginalMessage, - SiteId, - SiteName, - UpdatedAt, - UserIdentity, - EventType, - DataByUser, - DataRole, - DataUserScope, - EventTypeDetailed, - DataSource, - DataExpiryDateStr, - DataExpiryTime, - DataNetworkquarantine, - DataRuleCreationTime, - DataRuleDescription, - DataRuleExpirationMode, - DataRuleId, - DataRuleName, - DataRuleQueryDetails, - DataRuleQueryType, - DataRuleSeverity, - DataScopeId, - DataStatus, - DataSystemUser, - DataTreatasthreat, - DataUserId, - DataUserName, - EventSubStatus, - AgentId, - DataComputerName, - DataExternalIp, - DataGroupName, - DataSystem, - DataUuid, - GroupId, - GroupName, - DataGroup, - DataOptionalGroups, - DataCreatedAt, - DataDownloadUrl, - DataFilePath, - DataFilename, - DataUploadedFilename, - Comments, - DataNewValue, - DataPolicyId, - DataPolicyName, - DataNewValueb, - DataShouldReboot, - DataRoleName, - DataScopeLevelName, - ActiveDirectoryComputerDistinguishedName, - ActiveDirectoryComputerMemberOf, - ActiveDirectoryLastUserDistinguishedName, - ActiveDirectoryLastUserMemberOf, - ActiveThreats=toreal(activeThreats_d), - AgentVersion, - AllowRemoteShell, - AppsVulnerabilityStatus, - ComputerName, - ConsoleMigrationStatus, - CoreCount=toreal(coreCount_d), - CpuCount=toreal(cpuCount_d), - CpuId, - SrcDvcDomain, - EncryptedApplications, - ExternalId, - ExternalIp, - FirewallEnabled, - GroupIp, - InRemoteShellSession, - Infected, - InstallerType, - IsActive, - IsDecommissioned, - IsPendingUninstall, - IsUninstalled, - IsUpToDate, - LastActiveDate=tostring(LastActiveDate_datetime), - LastIpToMgmt, - LastLoggedInUserName, - LicenseKey, - LocationEnabled, - LocationType, - Locations, - MachineType, - MitigationMode, - MitigationModeSuspicious, - SrcDvcModelName, - NetworkInterfaces, - NetworkQuarantineEnabled, - NetworkStatus, - OperationalState, - OsArch, - SrcDvcOs, - OsRevision, - OsStartTime, - OsType, - RangerStatus, - RangerVersion, - RegisteredAt=tostring(RegisteredAt_datetime), - RemoteProfilingState, - ScanFinishedAt=tostring(ScanFinishedAt_datetime), - ScanStartedAt=tostring(ScanStartedAt_datetime), - ScanStatus, - ThreatRebootRequired, - TotalMemory=toreal(totalMemory_d), - UserActionsNeeded, - Uuid, - Creator, - CreatorId, - Inherits, - IsDefault, - Name, - AlertInfo, - RuleInfo, - ContainerInfo, - RegistrationToken, - TotalAgents=totalAgents_d, - Type; -}; -SentinelOne_view \ No newline at end of file From 2f43e8033d03be14c69a091be23f78d653d03629 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Tue, 10 Dec 2024 14:38:17 +0200 Subject: [PATCH 04/22] adding new test --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 3f18edb09e1..3a6b89b74b1 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -1,4 +1,4 @@ -id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 + id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 Function: Title: Parser for SentinelOne Version: '1.0.1' @@ -281,6 +281,7 @@ FunctionQuery: | name_s:string, registrationToken_s:string, totalAgents_d:real , + AlertInfo:string, type_s:string )[]; let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty @@ -484,7 +485,7 @@ FunctionQuery: | ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), SrcDvcDomain=Domain, - AlertInfo, + AlertInfo=tostring(AlertInfo), FirewallEnabled=column_ifexists('FirewallEnabled',''), LocationEnabled=column_ifexists('LocationEnabled',''), SrcDvcModelName=ModelName, From 458c0d8158e24d601f1611aa0f6bc9bf622b8de5 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Tue, 10 Dec 2024 15:04:51 +0200 Subject: [PATCH 05/22] adding new test --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 3a6b89b74b1..3f18edb09e1 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -1,4 +1,4 @@ - id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 +id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 Function: Title: Parser for SentinelOne Version: '1.0.1' @@ -281,7 +281,6 @@ FunctionQuery: | name_s:string, registrationToken_s:string, totalAgents_d:real , - AlertInfo:string, type_s:string )[]; let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty @@ -485,7 +484,7 @@ FunctionQuery: | ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), SrcDvcDomain=Domain, - AlertInfo=tostring(AlertInfo), + AlertInfo, FirewallEnabled=column_ifexists('FirewallEnabled',''), LocationEnabled=column_ifexists('LocationEnabled',''), SrcDvcModelName=ModelName, From e14c2f3660d0b5070bf9f60137de4977065fd7cb Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Tue, 10 Dec 2024 15:21:17 +0200 Subject: [PATCH 06/22] fixing issues with testing --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 3f18edb09e1..f5a3d5aa4a3 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -26,7 +26,7 @@ FunctionQuery: | EventOriginalMessage:string, SiteId:string, SiteName:string, - UpdatedAt:datetime , + UpdatedAt:datetime, UserIdentity:string, EventType:string, DataByUser:string, From ae1807782ab420879088f3bc4c830800bd96eff0 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Tue, 10 Dec 2024 16:03:54 +0200 Subject: [PATCH 07/22] fixing issues with testing --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index f5a3d5aa4a3..4ee4267d640 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -456,7 +456,7 @@ FunctionQuery: | DataSource=tostring(parse_json(todynamic(Data)).source), DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), - DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine), + DataNetworkquarantine=tobool(parse_json(todynamic(Data)).networkquarantine), DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), DataUuid=Uuid, DataGroup=tostring(parse_json(todynamic(Data)).group), From b5cd18eb1f1d292246d270a197711d4a5ad6daee Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Tue, 10 Dec 2024 16:10:10 +0200 Subject: [PATCH 08/22] fixing issues with testing --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 4ee4267d640..fec18de2b0d 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -488,7 +488,7 @@ FunctionQuery: | FirewallEnabled=column_ifexists('FirewallEnabled',''), LocationEnabled=column_ifexists('LocationEnabled',''), SrcDvcModelName=ModelName, - NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''), + NetworkQuarantineEnabled=tobool(column_ifexists('NetworkQuarantineEnabled','')), SrcDvcOs=OsName, SourceProcessInfo, RuleInfo, From 3cfb3103ea3d9e786bfcffe8e6be5a8ec4a87b00 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Tue, 10 Dec 2024 16:20:54 +0200 Subject: [PATCH 09/22] fixing issues with testing --- .../SentinelOne/Parsers/SentinelOne.yaml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index fec18de2b0d..04ee4c53a0d 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -36,7 +36,7 @@ FunctionQuery: | DataSource:string, DataExpiryDateStr:string, DataExpiryTime:int, - DataNetworkquarantine:bool, + //DataNetworkquarantine:bool, DataRuleCreationTime:int, DataRuleDescription:string, DataRuleExpirationMode:string, @@ -117,7 +117,7 @@ FunctionQuery: | MitigationModeSuspicious:string, SrcDvcModelName:string, NetworkInterfaces:string, - NetworkQuarantineEnabled:bool, + //NetworkQuarantineEnabled:bool, NetworkStatus:string, OperationalState:string, OsArch:string, @@ -177,7 +177,7 @@ FunctionQuery: | data_source_s:string, data_expiryDateStr_s:string, data_expiryTime_d:int, - data_networkquarantine_b:bool, + //data_networkquarantine_b:bool, data_ruleCreationTime_d:int, data_ruleDescription_s:string, data_ruleExpirationMode_s:string, @@ -255,7 +255,7 @@ FunctionQuery: | mitigationModeSuspicious_s:string, modelName_s:string, networkInterfaces_s:string, - networkQuarantineEnabled_b:bool, + //networkQuarantineEnabled_b:bool, networkStatus_s:string, operationalState_s:string, osArch_s:string, @@ -314,7 +314,7 @@ FunctionQuery: | DataSource=column_ifexists('data_source_s', ''), DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), DataExpiryTime=column_ifexists('data_expiryTime_d', ''), - DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), + //DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), @@ -394,7 +394,7 @@ FunctionQuery: | MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), SrcDvcModelName=column_ifexists('modelName_s', ''), NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), - NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), + //NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), NetworkStatus=column_ifexists('networkStatus_s', ''), OperationalState=column_ifexists('operationalState_s', ''), OsArch=column_ifexists('osArch_s', ''), @@ -456,7 +456,7 @@ FunctionQuery: | DataSource=tostring(parse_json(todynamic(Data)).source), DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), - DataNetworkquarantine=tobool(parse_json(todynamic(Data)).networkquarantine), + //DataNetworkquarantine=tobool(parse_json(todynamic(Data)).networkquarantine), DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), DataUuid=Uuid, DataGroup=tostring(parse_json(todynamic(Data)).group), @@ -488,7 +488,7 @@ FunctionQuery: | FirewallEnabled=column_ifexists('FirewallEnabled',''), LocationEnabled=column_ifexists('LocationEnabled',''), SrcDvcModelName=ModelName, - NetworkQuarantineEnabled=tobool(column_ifexists('NetworkQuarantineEnabled','')), + //NetworkQuarantineEnabled=tobool(column_ifexists('NetworkQuarantineEnabled','')), SrcDvcOs=OsName, SourceProcessInfo, RuleInfo, @@ -527,7 +527,7 @@ FunctionQuery: | DataSource, DataExpiryDateStr, DataExpiryTime, - DataNetworkquarantine, + //DataNetworkquarantine, DataRuleCreationTime, DataRuleDescription, DataRuleExpirationMode, @@ -605,7 +605,7 @@ FunctionQuery: | MitigationModeSuspicious, SrcDvcModelName, NetworkInterfaces, - NetworkQuarantineEnabled, + //NetworkQuarantineEnabled, NetworkStatus, OperationalState, OsArch, From 676046d6b35011285382e09101585ed6ddc3a255 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Wed, 11 Dec 2024 10:55:40 +0200 Subject: [PATCH 10/22] fixing issues with testing --- .../SentinelOne/Package/mainTemplate.json | 122 +++++++++--------- 1 file changed, 61 insertions(+), 61 deletions(-) diff --git a/Solutions/SentinelOne/Package/mainTemplate.json b/Solutions/SentinelOne/Package/mainTemplate.json index 824a5a5da0c..cb35fd8be01 100644 --- a/Solutions/SentinelOne/Package/mainTemplate.json +++ b/Solutions/SentinelOne/Package/mainTemplate.json @@ -59,7 +59,7 @@ "solutionId": "azuresentinel.azure-sentinel-solution-sentinelone", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "dataConnectorCCPVersion": "1.0.1", + "dataConnectorCCPVersion": "1.0.0", "_dataConnectorContentIdConnectorDefinition1": "SentinelOne", "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", "_dataConnectorContentIdConnections1": "SentinelOneConnections", @@ -2774,7 +2774,7 @@ "displayName": "Parser for SentinelOne", "category": "Microsoft Sentinel Parser", "functionAlias": "SentinelOne", - "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", + "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n //DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n //NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n //data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n //networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n //DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n //NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n //DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n //NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n //DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n //NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -2839,7 +2839,7 @@ "displayName": "Parser for SentinelOne", "category": "Microsoft Sentinel Parser", "functionAlias": "SentinelOne", - "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", + "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n //DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n //NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n //data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n //networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n //DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n //NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n //DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n //NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n //DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n //NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -2932,22 +2932,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3045,13 +3045,13 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } @@ -3149,13 +3149,13 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } @@ -3253,26 +3253,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "HashCustomEntity" + "columnName": "HashCustomEntity", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "HashAlgorithmCustomEntity" + "columnName": "HashAlgorithmCustomEntity", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" } ] } @@ -3370,13 +3370,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -3474,13 +3474,13 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } @@ -3578,13 +3578,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -3682,13 +3682,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -3786,13 +3786,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -3892,13 +3892,13 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } @@ -3996,22 +3996,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } From cac03df964bfe67ab12a6874bf5461784df77d8c Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 11 Dec 2024 18:40:33 +0530 Subject: [PATCH 11/22] table schema updated --- .../SentinelOneActivities_CL.json | 64 ++++++++++++++++++- .../CustomTables/SentinelOneAgents_CL.json | 60 +++++++++++++++++ .../CustomTables/SentinelOneAlerts_CL.json | 60 +++++++++++++++++ .../CustomTables/SentinelOneGroups_CL.json | 60 +++++++++++++++++ .../CustomTables/SentinelOneThreats_CL.json | 60 +++++++++++++++++ 5 files changed, 302 insertions(+), 2 deletions(-) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json index 7636a51c810..9db85cf19a8 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json @@ -1290,8 +1290,68 @@ "Type": "datetime" }, { - "Name": "_ItemId", - "Type": "string" + "Name": "_ItemId", + "Type": "string" + }, + { + "Name": "Data", + "Type": "string" + }, + { + "Name": "SourceParentProcessInfo", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "ActiveDirectory", + "Type": "string" + }, + { + "Name": "Domain", + "Type": "string" + }, + { + "Name": "ModelName", + "Type": "string" + }, + { + "Name": "OsName", + "Type": "string" + }, + { + "Name": "SourceProcessInfo", + "Type": "string" + }, + { + "Name": "RuleInfo", + "Type": "string" + }, + { + "Name": "TargetProcessInfo", + "Type": "string" + }, + { + "Name": "ContainerInfo", + "Type": "string" + }, + { + "Name": "LastActiveDate_datetime", + "Type": "DateTime" + }, + { + "Name": "RegisteredAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanFinishedAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanStartedAt_datetime", + "Type": "DateTime" } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json index bd794f5763a..8a911de6d68 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json @@ -1292,6 +1292,66 @@ { "Name": "_ItemId", "Type": "string" + }, + { + "Name": "Data", + "Type": "string" + }, + { + "Name": "SourceParentProcessInfo", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "ActiveDirectory", + "Type": "string" + }, + { + "Name": "Domain", + "Type": "string" + }, + { + "Name": "ModelName", + "Type": "string" + }, + { + "Name": "OsName", + "Type": "string" + }, + { + "Name": "SourceProcessInfo", + "Type": "string" + }, + { + "Name": "RuleInfo", + "Type": "string" + }, + { + "Name": "TargetProcessInfo", + "Type": "string" + }, + { + "Name": "ContainerInfo", + "Type": "string" + }, + { + "Name": "LastActiveDate_datetime", + "Type": "DateTime" + }, + { + "Name": "RegisteredAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanFinishedAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanStartedAt_datetime", + "Type": "DateTime" } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json index 185f36dd112..fc7bad6ef0d 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json @@ -1292,6 +1292,66 @@ { "Name": "_ItemId", "Type": "string" + }, + { + "Name": "Data", + "Type": "string" + }, + { + "Name": "SourceParentProcessInfo", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "ActiveDirectory", + "Type": "string" + }, + { + "Name": "Domain", + "Type": "string" + }, + { + "Name": "ModelName", + "Type": "string" + }, + { + "Name": "OsName", + "Type": "string" + }, + { + "Name": "SourceProcessInfo", + "Type": "string" + }, + { + "Name": "RuleInfo", + "Type": "string" + }, + { + "Name": "TargetProcessInfo", + "Type": "string" + }, + { + "Name": "ContainerInfo", + "Type": "string" + }, + { + "Name": "LastActiveDate_datetime", + "Type": "DateTime" + }, + { + "Name": "RegisteredAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanFinishedAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanStartedAt_datetime", + "Type": "DateTime" } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json index 6f894524b61..c80988f4eca 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json @@ -1292,6 +1292,66 @@ { "Name": "_ItemId", "Type": "string" + }, + { + "Name": "Data", + "Type": "string" + }, + { + "Name": "SourceParentProcessInfo", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "ActiveDirectory", + "Type": "string" + }, + { + "Name": "Domain", + "Type": "string" + }, + { + "Name": "ModelName", + "Type": "string" + }, + { + "Name": "OsName", + "Type": "string" + }, + { + "Name": "SourceProcessInfo", + "Type": "string" + }, + { + "Name": "RuleInfo", + "Type": "string" + }, + { + "Name": "TargetProcessInfo", + "Type": "string" + }, + { + "Name": "ContainerInfo", + "Type": "string" + }, + { + "Name": "LastActiveDate_datetime", + "Type": "DateTime" + }, + { + "Name": "RegisteredAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanFinishedAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanStartedAt_datetime", + "Type": "DateTime" } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json index 5cef98e2ffc..bf37c721626 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json @@ -1292,6 +1292,66 @@ { "Name": "_ItemId", "Type": "string" + }, + { + "Name": "Data", + "Type": "string" + }, + { + "Name": "SourceParentProcessInfo", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "ActiveDirectory", + "Type": "string" + }, + { + "Name": "Domain", + "Type": "string" + }, + { + "Name": "ModelName", + "Type": "string" + }, + { + "Name": "OsName", + "Type": "string" + }, + { + "Name": "SourceProcessInfo", + "Type": "string" + }, + { + "Name": "RuleInfo", + "Type": "string" + }, + { + "Name": "TargetProcessInfo", + "Type": "string" + }, + { + "Name": "ContainerInfo", + "Type": "string" + }, + { + "Name": "LastActiveDate_datetime", + "Type": "DateTime" + }, + { + "Name": "RegisteredAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanFinishedAt_datetime", + "Type": "DateTime" + }, + { + "Name": "ScanStartedAt_datetime", + "Type": "DateTime" } ] } \ No newline at end of file From 0a45b721d43db37dc0c0bda124dca746d64e6d3d Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 11 Dec 2024 18:49:04 +0530 Subject: [PATCH 12/22] Update SentinelOne.yaml --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 04ee4c53a0d..63a183e7bae 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -285,8 +285,8 @@ FunctionQuery: | )[]; let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty | extend - EventVendor="SentinelOne", - EventProduct="SentinelOne", + EventVendor="SentinelOne", + EventProduct="SentinelOne", AccountId=column_ifexists('accountId_s', ''), AccountName=column_ifexists('accountName_s', ''), ActivityType=toreal(column_ifexists('activityType_d', '')), From bfd33dcbc6c2d168034c2a63fd3b23f57e10532b Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 11 Dec 2024 19:08:36 +0530 Subject: [PATCH 13/22] Update SentinelOne.yaml --- .../SentinelOne/Parsers/SentinelOne.yaml | 1262 +++++++++-------- 1 file changed, 634 insertions(+), 628 deletions(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 63a183e7bae..163ce702df9 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -9,631 +9,637 @@ FunctionAlias: SentinelOne FunctionQuery: | let SentinelOne_view = view () { let SentinelOneV2_Empty = datatable( - AccountId:string, - AccountName:string, - ActivityType:real , - EventCreationTime:datetime, - DataAccountName:string, - DataFullScopeDetails:string, - DataScopeLevel:string, - DataScopeName:string, - DataSiteId:int, - SecondaryDescription:string , - DataSiteName:string, - SourceProcessInfo:string, - SrcUserName:string, - EventId:string, - EventOriginalMessage:string, - SiteId:string, - SiteName:string, - UpdatedAt:datetime, - UserIdentity:string, - EventType:string, - DataByUser:string, - DataRole:string, - DataUserScope:string, - EventTypeDetailed:string, - DataSource:string, - DataExpiryDateStr:string, - DataExpiryTime:int, - //DataNetworkquarantine:bool, - DataRuleCreationTime:int, - DataRuleDescription:string, - DataRuleExpirationMode:string, - DataRuleId:int, - DataRuleName:string, - DataRuleQueryDetails:string, - DataRuleQueryType:string, - DataRuleSeverity:string, - DataScopeId:int, - DataStatus:string, - DataSystemUser:int, - DataTreatasthreat:string, - DataUserId:int, - RuleInfo:string, - DataUserName:string, - EventSubStatus:string, - AgentId:string, - DataComputerName:string, - DataExternalIp:string, - DataGroupName:string, - DataSystem:bool, - DataUuid:string, - GroupId:string, - GroupName:string, - DataGroup:string, - UserId:string , - DataOptionalGroups:string, - DataCreatedAt:string, - DataDownloadUrl:string, - DataFilePath:string, - DataFilename:string, - DataUploadedFilename:string, - Comments:string, - DataNewValue:string, - DataPolicyId:string, - DataPolicyName:string, - DataNewValueb:string, - DataShouldReboot:bool, - DataRoleName:string, - DataScopeLevelName:string, - ActiveDirectoryComputerDistinguishedName:string, - ActiveDirectoryComputerMemberOf:string, - ActiveDirectoryLastUserDistinguishedName:string, - ActiveDirectoryLastUserMemberOf:string, - ActiveThreats:int, - AgentVersion:string, - AllowRemoteShell:bool, - AppsVulnerabilityStatus:string, - ComputerName:string, - ConsoleMigrationStatus:string, - CoreCount:int, - CpuCount:int, - CpuId:string, - SrcDvcDomain:string, - EncryptedApplications:bool, - ExternalId:string, - ExternalIp:string, - FirewallEnabled:bool, - GroupIp:string, - InRemoteShellSession:bool, - Infected:bool, - InstallerType:string, - IsActive:bool, - IsDecommissioned:bool, - IsPendingUninstall:bool, - IsUninstalled:bool, - IsUpToDate:bool, - LastActiveDate:string, - TargetProcessInfo:string , - LastIpToMgmt:string, - LastLoggedInUserName:string, - LicenseKey:string, - LocationEnabled:bool, - LocationType:string, - Locations:string, - MachineType:string, - MitigationMode:string, - MitigationModeSuspicious:string, - SrcDvcModelName:string, - NetworkInterfaces:string, - //NetworkQuarantineEnabled:bool, - NetworkStatus:string, - OperationalState:string, - OsArch:string, - SrcDvcOs:string, - OsRevision:string, - OsStartTime:datetime , - OsType:string, - RangerStatus:string, - RangerVersion:string, - RegisteredAt:string, - RemoteProfilingState:string, - ScanFinishedAt:string, - ScanStartedAt:string, - ScanStatus:string, - ThreatRebootRequired:bool, - TotalMemory:int, - SourceParentProcessInfo:string , - UserActionsNeeded:string, - Uuid:string, - Creator:string, - ContainerInfo:string, - CreatorId:string, - Inherits:string , - IsDefault:string , - Name:string, - RegistrationToken:string, - AlertInfo:string, - PrimaryDescription:string , - TotalAgents:real , - CreatedAt:datetime , - Id:string, - Type:string - )[]; - let SentinelOneV1_Empty = datatable ( - accountId_s:string, - accountName_s:string, - activityType_d:real, - createdAt_t:datetime , - data_accountName_s:string, - data_fullScopeDetails_s:string, - data_scopeLevel_s:string, - data_scopeName_s:string, - data_siteId_d:int, - data_siteName_s:string, - data_username_s:string, - id_s:string, - primaryDescription_s:string, - siteId_s:string, - siteName_s:string, - updatedAt_t:datetime , - userId_s:string, - event_name_s:string, - data_byUser_s:string, - data_role_s:string, - data_userScope_s:string, - description_s:string, - data_source_s:string, - data_expiryDateStr_s:string, - data_expiryTime_d:int, - //data_networkquarantine_b:bool, - data_ruleCreationTime_d:int, - data_ruleDescription_s:string, - data_ruleExpirationMode_s:string, - data_ruleId_d:int, - data_ruleName_s:string, - data_ruleQueryDetails_s:string, - data_ruleQueryType_s:string, - data_ruleSeverity_s:string, - data_scopeId_d:int, - data_status_s:string, - data_systemUser_d:int, - data_treatasthreat_s:string, - data_userId_d:int, - data_userName_s:string, - secondaryDescription_s:string, - agentId_s:string, - data_computerName_s:string, - data_externalIp_s:string, - data_groupName_s:string, - data_system_b:bool, - data_uuid_g:string, - groupId_s:string, - groupName_s:string, - data_group_s:string, - data_optionalGroups_s:string, - data_createdAt_t:string, - data_downloadUrl_s:string, - data_filePath_s:string, - data_filename_s:string, - data_uploadedFilename_s:string, - comments_s:string, - data_newValue_s:string, - data_policy_id_s:string, - data_policyName_s:string, - data_newValue_b:bool, - data_shouldReboot_b:bool, - data_roleName_s:string, - data_scopeLevelName_s:string, - activeDirectory_computerDistinguishedName_s:string, - activeDirectory_computerMemberOf_s:string, - activeDirectory_lastUserDistinguishedName_s:string, - activeDirectory_lastUserMemberOf_s:string, - activeThreats_d:real, - agentVersion_s:string, - allowRemoteShell_b:bool, - appsVulnerabilityStatus_s:string, - computerName_s:string, - consoleMigrationStatus_s:string, - coreCount_d:real, - cpuCount_d:real , - cpuId_s:string, - domain_s:string, - encryptedApplications_b:bool, - externalId_s:string, - externalIp_s:string, - firewallEnabled_b:bool, - groupIp_s:string, - inRemoteShellSession_b:bool, - infected_b:bool, - installerType_s:string, - isActive_b:bool, - isDecommissioned_b:bool, - isPendingUninstall_b:bool, - isUninstalled_b:bool, - isUpToDate_b:bool, - lastActiveDate_t:string, - lastIpToMgmt_s:string, - lastLoggedInUserName_s:string, - licenseKey_s:string, - locationEnabled_b:bool, - locationType_s:string, - locations_s:string, - machineType_s:string, - mitigationMode_s:string, - mitigationModeSuspicious_s:string, - modelName_s:string, - networkInterfaces_s:string, - //networkQuarantineEnabled_b:bool, - networkStatus_s:string, - operationalState_s:string, - osArch_s:string, - osName_s:string, - osRevision_s:string, - osStartTime_t:datetime , - osType_s:string, - rangerStatus_s:string, - rangerVersion_s:string, - registeredAt_t:string, - remoteProfilingState_s:string, - scanFinishedAt_t:string, - scanStartedAt_t:string, - scanStatus_s:string, - threatRebootRequired_b:bool, - totalMemory_d:real , - userActionsNeeded_s:string, - uuid_g:string, - creator_s:string, - creatorId_s:string, - inherits_b:string , - isDefault_b:string , - name_s:string, - registrationToken_s:string, - totalAgents_d:real , - type_s:string - )[]; - let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty - | extend - EventVendor="SentinelOne", - EventProduct="SentinelOne", - AccountId=column_ifexists('accountId_s', ''), - AccountName=column_ifexists('accountName_s', ''), - ActivityType=toreal(column_ifexists('activityType_d', '')), - EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')), - DataAccountName=column_ifexists('data_accountName_s', ''), - DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''), - DataScopeLevel=column_ifexists('data_scopeLevel_s', ''), - DataScopeName=column_ifexists('data_scopeName_s', ''), - DataSiteId=column_ifexists('data_siteId_d', ''), - DataSiteName=column_ifexists('data_siteName_s', ''), - SrcUserName=column_ifexists('data_username_s', ''), - EventId=column_ifexists('id_s', ''), - EventOriginalMessage=column_ifexists('primaryDescription_s', ''), - PrimaryDescription=column_ifexists('primaryDescription_s', ''), - SiteId=column_ifexists('siteId_s', ''), - SiteName=column_ifexists('siteName_s', ''), - UpdatedAt=column_ifexists('updatedAt_t', ''), - UserIdentity=column_ifexists('userId_s', ''), - UserId=column_ifexists('userId_s', ''), - EventType=column_ifexists('event_name_s', ''), - DataByUser=column_ifexists('data_byUser_s', ''), - DataRole=column_ifexists('data_role_s', ''), - DataUserScope=column_ifexists('data_userScope_s', ''), - EventTypeDetailed=column_ifexists('description_s', ''), - DataSource=column_ifexists('data_source_s', ''), - DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), - DataExpiryTime=column_ifexists('data_expiryTime_d', ''), - //DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), - DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), - DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), - DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), - DataRuleId=column_ifexists('data_ruleId_d', ''), - DataRuleName=column_ifexists('data_ruleName_s', ''), - DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''), - DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''), - DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''), - DataScopeId=column_ifexists('data_scopeId_d', ''), - Id=column_ifexists('id_s', ''), - DataStatus=column_ifexists('data_status_s', ''), - DataSystemUser=column_ifexists('data_systemUser_d', ''), - DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''), - DataUserId=column_ifexists('data_userId_d', ''), - DataUserName=column_ifexists('data_userName_s', ''), - EventSubStatus=column_ifexists('secondaryDescription_s', ''), - SecondaryDescription=column_ifexists('secondaryDescription_s', ''), - AgentId=column_ifexists('agentId_s', ''), - DataComputerName=column_ifexists('data_computerName_s', ''), - DataExternalIp=column_ifexists('data_externalIp_s', ''), - DataGroupName=column_ifexists('data_groupName_s', ''), - DataSystem=column_ifexists('data_system_b', ''), - DataUuid=column_ifexists('data_uuid_g', ''), - GroupId=column_ifexists('groupId_s', ''), - GroupName=column_ifexists('groupName_s', ''), - DataGroup=column_ifexists('data_group_s', ''), - DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''), - DataCreatedAt=column_ifexists('data_createdAt_t', ''), - DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''), - DataFilePath=column_ifexists('data_filePath_s', ''), - DataFilename=column_ifexists('data_filename_s', ''), - DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''), - Comments=column_ifexists('comments_s', ''), - DataNewValue=column_ifexists('data_newValue_s', ''), - DataPolicyId=column_ifexists('data_policy_id_s', ''), - DataPolicyName=column_ifexists('data_policyName_s', ''), - DataNewValueb=column_ifexists('data_newValue_b', ''), - DataShouldReboot=column_ifexists('data_shouldReboot_b', ''), - DataRoleName=column_ifexists('data_roleName_s', ''), - DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''), - ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''), - ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''), - ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''), - ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''), - ActiveThreats=column_ifexists('activeThreats_d', ''), - AgentVersion=column_ifexists('agentVersion_s', ''), - AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''), - AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''), - ComputerName=column_ifexists('computerName_s', ''), - ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''), - CoreCount=column_ifexists('coreCount_d', ''), - CpuCount=column_ifexists('cpuCount_d', ''), - CpuId=column_ifexists('cpuId_s', ''), - SrcDvcDomain=column_ifexists('domain_s', ''), - EncryptedApplications=column_ifexists('encryptedApplications_b', ''), - ExternalId=column_ifexists('externalId_s', ''), - ExternalIp=column_ifexists('externalIp_s', ''), - FirewallEnabled=column_ifexists('firewallEnabled_b', ''), - GroupIp=column_ifexists('groupIp_s', ''), - InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''), - Infected=column_ifexists('infected_b', ''), - InstallerType=column_ifexists('installerType_s', ''), - IsActive=column_ifexists('isActive_b', ''), - IsDecommissioned=column_ifexists('isDecommissioned_b', ''), - IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''), - IsUninstalled=column_ifexists('isUninstalled_b', ''), - IsUpToDate=column_ifexists('isUpToDate_b', ''), - LastActiveDate=column_ifexists('lastActiveDate_t', ''), - LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''), - LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''), - LicenseKey=column_ifexists('licenseKey_s', ''), - LocationEnabled=column_ifexists('locationEnabled_b', ''), - LocationType=column_ifexists('locationType_s', ''), - Locations=column_ifexists('locations_s', ''), - MachineType=column_ifexists('machineType_s', ''), - MitigationMode=column_ifexists('mitigationMode_s', ''), - MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), - SrcDvcModelName=column_ifexists('modelName_s', ''), - NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), - //NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), - NetworkStatus=column_ifexists('networkStatus_s', ''), - OperationalState=column_ifexists('operationalState_s', ''), - OsArch=column_ifexists('osArch_s', ''), - SrcDvcOs=column_ifexists('osName_s', ''), - OsRevision=column_ifexists('osRevision_s', ''), - OsStartTime=column_ifexists('osStartTime_t', ''), - OsType=column_ifexists('osType_s', ''), - RangerStatus=column_ifexists('rangerStatus_s', ''), - RangerVersion=column_ifexists('rangerVersion_s', ''), - RegisteredAt=column_ifexists('registeredAt_t', ''), - RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''), - ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''), - ScanStartedAt=column_ifexists('scanStartedAt_t', ''), - ScanStatus=column_ifexists('scanStatus_s', ''), - ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''), - TotalMemory=column_ifexists('totalMemory_d', ''), - UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''), - Uuid=column_ifexists('uuid_g', ''), - Creator=column_ifexists('creator_s', ''), - CreatedAt=column_ifexists('createdAt_t',''), - CreatorId=column_ifexists('creatorId_s', ''), - Inherits=column_ifexists('inherits_b', ''), - IsDefault=column_ifexists('isDefault_b', ''), - Name=column_ifexists('name_s', ''), - RegistrationToken=column_ifexists('registrationToken_s', ''), - TotalAgents=column_ifexists('totalAgents_d', ''), - Type=column_ifexists('type_s', ''); - union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union - | extend - ActivityType, - EventVendor="SentinelOne", - EventProduct="SentinelOne", - DataAccountName=tostring(parse_json(todynamic(Data)).accountName), - DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails), - DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel), - DataScopeName=tostring(parse_json(todynamic(Data)).scopeName), - DataSiteId=tostring(parse_json(todynamic(Data)).siteId), - DataSiteName=tostring(parse_json(todynamic(Data)).siteName), - SrcUserName=tostring(parse_json(todynamic(Data)).userName), - EventId=Id, - SourceParentProcessInfo, - EventOriginalMessage=PrimaryDescription, - UserIdentity=UserId, - EventTypeDetailed=Description, - DataRuleId=tostring(parse_json(todynamic(Data)).ruleId), - DataRuleName=tostring(parse_json(todynamic(Data)).rulename), - DataScopeId=tostring(parse_json(todynamic(Data)).scopeId), - DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser), - DataUserId=tostring(parse_json(todynamic(Data)).userId), - DataUserName=tostring(parse_json(todynamic(Data)).userName), - EventSubStatus=SecondaryDescription, - DataComputerName=tostring(parse_json(todynamic(Data)).computerName), - DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp), - DataGroupName=tostring(parse_json(todynamic(Data)).groupName), - DataStatus=tostring(parse_json(todynamic(Data)).status), - DataByUser=tostring(parse_json(todynamic(Data)).byUser), - DataRole=tostring(parse_json(todynamic(Data)).role), - DataUserScope=tostring(parse_json(todynamic(Data)).userScope), - DataSource=tostring(parse_json(todynamic(Data)).source), - DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), - DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), - //DataNetworkquarantine=tobool(parse_json(todynamic(Data)).networkquarantine), - DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), - DataUuid=Uuid, - DataGroup=tostring(parse_json(todynamic(Data)).group), - DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription), - EventType=tostring(parse_json(todynamic(AlertInfo)).eventType), - DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode), - DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails), - DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType), - DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity), - DataSystem=tostring(parse_json(todynamic(Data)).system), - DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups), - DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt), - DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl), - DataFilePath=tostring(parse_json(todynamic(Data)).filePath), - DataFilename=tostring(parse_json(todynamic(Data)).filename), - DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename), - DataNewValue=tostring(parse_json(todynamic(Data)).newValue), - DataPolicyId=tostring(parse_json(todynamic(Data)).policyId), - DataPolicyName=tostring(parse_json(todynamic(Data)).policyName), - DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot), - DataRoleName=tostring(parse_json(todynamic(Data)).roleName), - DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName), - ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName), - ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf), - ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), - ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), - SrcDvcDomain=Domain, - AlertInfo, - FirewallEnabled=column_ifexists('FirewallEnabled',''), - LocationEnabled=column_ifexists('LocationEnabled',''), - SrcDvcModelName=ModelName, - //NetworkQuarantineEnabled=tobool(column_ifexists('NetworkQuarantineEnabled','')), - SrcDvcOs=OsName, - SourceProcessInfo, - RuleInfo, - TargetProcessInfo, - ContainerInfo, - EventCreationTime=CreatedAt, - RemoteProfilingState=column_ifexists('RemoteProfilingState','') - | project - TimeGenerated, - EventVendor, - EventProduct, - AccountName, - SourceParentProcessInfo, - TargetProcessInfo, - ActivityType, - EventCreationTime, - DataAccountName, - DataFullScopeDetails, - DataScopeLevel, - DataScopeName, - DataSiteId, - SourceProcessInfo, - DataSiteName, - SrcUserName, - EventId, - EventOriginalMessage, - SiteId, - SiteName, - UpdatedAt, - UserIdentity, - EventType, - DataByUser, - DataRole, - DataUserScope, - EventTypeDetailed, - DataSource, - DataExpiryDateStr, - DataExpiryTime, - //DataNetworkquarantine, - DataRuleCreationTime, - DataRuleDescription, - DataRuleExpirationMode, - DataRuleId, - DataRuleName, - DataRuleQueryDetails, - DataRuleQueryType, - DataRuleSeverity, - DataScopeId, - DataStatus, - DataSystemUser, - DataTreatasthreat, - DataUserId, - DataUserName, - EventSubStatus, - AgentId, - DataComputerName, - DataExternalIp, - DataGroupName, - DataSystem, - DataUuid, - GroupId, - GroupName, - DataGroup, - DataOptionalGroups, - DataCreatedAt, - DataDownloadUrl, - DataFilePath, - DataFilename, - DataUploadedFilename, - Comments, - DataNewValue, - DataPolicyId, - DataPolicyName, - DataNewValueb, - DataShouldReboot, - DataRoleName, - DataScopeLevelName, - ActiveDirectoryComputerDistinguishedName, - ActiveDirectoryComputerMemberOf, - ActiveDirectoryLastUserDistinguishedName, - ActiveDirectoryLastUserMemberOf, - ActiveThreats=toreal(activeThreats_d), - AgentVersion, - AllowRemoteShell, - AppsVulnerabilityStatus, - ComputerName, - ConsoleMigrationStatus, - CoreCount=toreal(coreCount_d), - CpuCount=toreal(cpuCount_d), - CpuId, - SrcDvcDomain, - EncryptedApplications, - ExternalId, - ExternalIp, - FirewallEnabled, - GroupIp, - InRemoteShellSession, - Infected, - InstallerType, - IsActive, - IsDecommissioned, - IsPendingUninstall, - IsUninstalled, - IsUpToDate, - LastActiveDate=tostring(LastActiveDate_datetime), - LastIpToMgmt, - LastLoggedInUserName, - LicenseKey, - LocationEnabled, - LocationType, - Locations, - MachineType, - MitigationMode, - MitigationModeSuspicious, - SrcDvcModelName, - NetworkInterfaces, - //NetworkQuarantineEnabled, - NetworkStatus, - OperationalState, - OsArch, - SrcDvcOs, - OsRevision, - OsStartTime, - OsType, - RangerStatus, - RangerVersion, - RegisteredAt=tostring(RegisteredAt_datetime), - RemoteProfilingState, - ScanFinishedAt=tostring(ScanFinishedAt_datetime), - ScanStartedAt=tostring(ScanStartedAt_datetime), - ScanStatus, - ThreatRebootRequired, - TotalMemory=toreal(totalMemory_d), - UserActionsNeeded, - Uuid, - Creator, - CreatorId, - Inherits, - IsDefault, - Name, - AlertInfo, - RuleInfo, - ContainerInfo, - RegistrationToken, - TotalAgents=totalAgents_d, - Type; - }; - SentinelOne_view \ No newline at end of file + AccountId: string, + AccountName: string, + ActivityType: real, + EventCreationTime: datetime, + DataAccountName: string, + DataFullScopeDetails: string, + DataScopeLevel: string, + DataScopeName: string, + DataSiteId: int, + SecondaryDescription: string, + DataSiteName: string, + SourceProcessInfo: string, + SrcUserName: string, + EventId: string, + EventOriginalMessage: string, + SiteId: string, + SiteName: string, + UpdatedAt: datetime, + UserIdentity: string, + EventType: string, + DataByUser: string, + DataRole: string, + DataUserScope: string, + EventTypeDetailed: string, + DataSource: string, + DataExpiryDateStr: string, + DataExpiryTime: int, + DataNetworkquarantine: bool, + DataRuleCreationTime: int, + DataRuleDescription: string, + DataRuleExpirationMode: string, + DataRuleId: int, + DataRuleName: string, + DataRuleQueryDetails: string, + DataRuleQueryType: string, + DataRuleSeverity: string, + DataScopeId: int, + DataStatus: string, + DataSystemUser: int, + DataTreatasthreat: string, + DataUserId: int, + RuleInfo: string, + DataUserName: string, + EventSubStatus: string, + AgentId: string, + DataComputerName: string, + DataExternalIp: string, + DataGroupName: string, + DataSystem: bool, + DataUuid: string, + GroupId: string, + GroupName: string, + DataGroup: string, + UserId: string, + DataOptionalGroups: string, + DataCreatedAt: string, + DataDownloadUrl: string, + DataFilePath: string, + DataFilename: string, + DataUploadedFilename: string, + Comments: string, + DataNewValue: string, + DataPolicyId: string, + DataPolicyName: string, + DataNewValueb: string, + DataShouldReboot: bool, + DataRoleName: string, + DataScopeLevelName: string, + ActiveDirectoryComputerDistinguishedName: string, + ActiveDirectoryComputerMemberOf: string, + ActiveDirectoryLastUserDistinguishedName: string, + ActiveDirectoryLastUserMemberOf: string, + ActiveThreats: int, + AgentVersion: string, + AllowRemoteShell: bool, + AppsVulnerabilityStatus: string, + ComputerName: string, + ConsoleMigrationStatus: string, + CoreCount: int, + CpuCount: int, + CpuId: string, + SrcDvcDomain: string, + EncryptedApplications: bool, + ExternalId: string, + ExternalIp: string, + FirewallEnabled: bool, + GroupIp: string, + InRemoteShellSession: bool, + Infected: bool, + InstallerType: string, + IsActive: bool, + IsDecommissioned: bool, + IsPendingUninstall: bool, + IsUninstalled: bool, + IsUpToDate: bool, + LastActiveDate: string, + TargetProcessInfo: string, + LastIpToMgmt: string, + LastLoggedInUserName: string, + LicenseKey: string, + LocationEnabled: bool, + LocationType: string, + Locations: string, + MachineType: string, + MitigationMode: string, + MitigationModeSuspicious: string, + SrcDvcModelName: string, + NetworkInterfaces: string, + NetworkQuarantineEnabled: bool, + NetworkStatus: string, + OperationalState: string, + OsArch: string, + SrcDvcOs: string, + OsRevision: string, + OsStartTime: datetime, + OsType: string, + RangerStatus: string, + RangerVersion: string, + RegisteredAt: string, + RemoteProfilingState: string, + ScanFinishedAt: string, + ScanStartedAt: string, + ScanStatus: string, + ThreatRebootRequired: bool, + TotalMemory: int, + SourceParentProcessInfo: string, + UserActionsNeeded: string, + Uuid: string, + Creator: string, + ContainerInfo: string, + CreatorId: string, + Inherits: string, + IsDefault: string, + Name: string, + RegistrationToken: string, + AlertInfo: string, + PrimaryDescription: string, + TotalAgents: real, + CreatedAt: datetime, + Id: string, + Type: string +)[]; + let SentinelOneV1_Empty = datatable ( + accountId_s: string, + accountName_s: string, + activityType_d: real, + createdAt_t: datetime, + data_accountName_s: string, + data_fullScopeDetails_s: string, + data_scopeLevel_s: string, + data_scopeName_s: string, + data_siteId_d: int, + data_siteName_s: string, + data_username_s: string, + id_s: string, + primaryDescription_s: string, + siteId_s: string, + siteName_s: string, + updatedAt_t: datetime, + userId_s: string, + event_name_s: string, + data_byUser_s: string, + data_role_s: string, + data_userScope_s: string, + description_s: string, + data_source_s: string, + data_expiryDateStr_s: string, + data_expiryTime_d: int, + data_networkquarantine_b: bool, + data_ruleCreationTime_d: int, + data_ruleDescription_s: string, + data_ruleExpirationMode_s: string, + data_ruleId_d: int, + data_ruleName_s: string, + data_ruleQueryDetails_s: string, + data_ruleQueryType_s: string, + data_ruleSeverity_s: string, + data_scopeId_d: int, + data_status_s: string, + data_systemUser_d: int, + data_treatasthreat_s: string, + data_userId_d: int, + data_userName_s: string + secondaryDescription_s: string, + agentId_s: string, + data_computerName_s: string, + data_externalIp_s: string, + data_groupName_s: string, + data_system_b: bool, + data_uuid_g: string, + groupId_s: string, + groupName_s: string, + data_group_s: string, + data_optionalGroups_s: string, + data_createdAt_t: string, + data_downloadUrl_s: string, + data_filePath_s: string, + data_filename_s: string, + data_uploadedFilename_s: string, + comments_s: string, + data_newValue_s: string, + data_policy_id_s: string, + data_policyName_s: string, + data_newValue_b: bool, + data_shouldReboot_b: bool, + data_roleName_s: string, + data_scopeLevelName_s: string, + activeDirectory_computerDistinguishedName_s: string, + activeDirectory_computerMemberOf_s: string, + activeDirectory_lastUserDistinguishedName_s: string, + activeDirectory_lastUserMemberOf_s: string, + activeThreats_d: real, + agentVersion_s: string, + allowRemoteShell_b: bool, + appsVulnerabilityStatus_s: string, + computerName_s: string, + consoleMigrationStatus_s: string, + coreCount_d: real, + cpuCount_d: real, + cpuId_s: string, + domain_s: string, + encryptedApplications_b: bool, + externalId_s: string, + externalIp_s: string, + firewallEnabled_b: bool, + groupIp_s: string, + inRemoteShellSession_b: bool, + infected_b: bool, + installerType_s: string, + isActive_b: bool, + isDecommissioned_b: bool, + isPendingUninstall_b: bool, + isUninstalled_b: bool, + isUpToDate_b: bool, + lastActiveDate_t: string, + lastIpToMgmt_s: string, + lastLoggedInUserName_s: string, + licenseKey_s: string, + locationEnabled_b: bool, + locationType_s: string, + locations_s: string, + machineType_s: string, + mitigationMode_s: string, + mitigationModeSuspicious_s: string, + modelName_s: string, + networkInterfaces_s: string, + networkQuarantineEnabled_b: bool, + networkStatus_s: string, + operationalState_s: string, + osArch_s: string, + osName_s: string, + osRevision_s: string, + osStartTime_t: datetime, + osType_s: string, + rangerStatus_s: string, + rangerVersion_s: string, + registeredAt_t: string, + remoteProfilingState_s: string, + scanFinishedAt_t: string, + scanStartedAt_t: string, + scanStatus_s: string, + threatRebootRequired_b: bool, + totalMemory_d: real, + userActionsNeeded_s: string, + uuid_g: string, + creator_s: string, + creatorId_s: string, + inherits_b: string, + isDefault_b: string, + name_s: string, + registrationToken_s: string, + totalAgents_d: real, + type_s: string +)[]; + let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL, SentinelOneV1_Empty + | extend + EventVendor="SentinelOne", + EventProduct="SentinelOne", + AccountId=column_ifexists('accountId_s', ''), + AccountName=column_ifexists('accountName_s', ''), + ActivityType=toreal(column_ifexists('activityType_d', '')), + EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')), + DataAccountName=column_ifexists('data_accountName_s', ''), + DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''), + DataScopeLevel=column_ifexists('data_scopeLevel_s', ''), + DataScopeName=column_ifexists('data_scopeName_s', ''), + DataSiteId=column_ifexists('data_siteId_d', ''), + DataSiteName=column_ifexists('data_siteName_s', ''), + SrcUserName=column_ifexists('data_username_s', ''), + EventId=column_ifexists('id_s', ''), + EventOriginalMessage=column_ifexists('primaryDescription_s', ''), + PrimaryDescription=column_ifexists('primaryDescription_s', ''), + SiteId=column_ifexists('siteId_s', ''), + SiteName=column_ifexists('siteName_s', ''), + UpdatedAt=column_ifexists('updatedAt_t', ''), + UserIdentity=column_ifexists('userId_s', ''), + UserId=column_ifexists('userId_s', ''), + EventType=column_ifexists('event_name_s', ''), + DataByUser=column_ifexists('data_byUser_s', ''), + DataRole=column_ifexists('data_role_s', ''), + DataUserScope=column_ifexists('data_userScope_s', ''), + EventTypeDetailed=column_ifexists('description_s', ''), + DataSource=column_ifexists('data_source_s', ''), + DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), + DataExpiryTime=column_ifexists('data_expiryTime_d', ''), + DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), + DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), + DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), + DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), + DataRuleId=column_ifexists('data_ruleId_d', ''), + DataRuleName=column_ifexists('data_ruleName_s', ''), + DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''), + DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''), + DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''), + DataScopeId=column_ifexists('data_scopeId_d', ''), + Id=column_ifexists('id_s', ''), + DataStatus=column_ifexists('data_status_s', ''), + DataSystemUser=column_ifexists('data_systemUser_d', ''), + DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''), + DataUserId=column_ifexists('data_userId_d', ''), + DataUserName=column_ifexists('data_userName_s', ''), + EventSubStatus=column_ifexists('secondaryDescription_s', ''), + SecondaryDescription=column_ifexists('secondaryDescription_s', ''), + AgentId=column_ifexists('agentId_s', ''), + DataComputerName=column_ifexists('data_computerName_s', ''), + DataExternalIp=column_ifexists('data_externalIp_s', ''), + DataGroupName=column_ifexists('data_groupName_s', ''), + DataSystem=column_ifexists('data_system_b', ''), + DataUuid=column_ifexists('data_uuid_g', ''), + GroupId=column_ifexists('groupId_s', ''), + GroupName=column_ifexists('groupName_s', ''), + DataGroup=column_ifexists('data_group_s', ''), + DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''), + DataCreatedAt=column_ifexists('data_createdAt_t', ''), + DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''), + DataFilePath=column_ifexists('data_filePath_s', ''), + DataFilename=column_ifexists('data_filename_s', ''), + DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''), + Comments=column_ifexists('comments_s', ''), + DataNewValue=column_ifexists('data_newValue_s', ''), + DataPolicyId=column_ifexists('data_policy_id_s', ''), + DataPolicyName=column_ifexists('data_policyName_s', ''), + DataNewValueb=column_ifexists('data_newValue_b', ''), + DataShouldReboot=column_ifexists('data_shouldReboot_b', ''), + DataRoleName=column_ifexists('data_roleName_s', ''), + DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''), + ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''), + ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''), + ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''), + ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''), + ActiveThreats=column_ifexists('activeThreats_d', ''), + AgentVersion=column_ifexists('agentVersion_s', ''), + AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''), + AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''), + ComputerName=column_ifexists('computerName_s', ''), + ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''), + CoreCount=column_ifexists('coreCount_d', ''), + CpuCount=column_ifexists('cpuCount_d', ''), + CpuId=column_ifexists('cpuId_s', ''), + SrcDvcDomain=column_ifexists('domain_s', ''), + EncryptedApplications=column_ifexists('encryptedApplications_b', ''), + ExternalId=column_ifexists('externalId_s', ''), + ExternalIp=column_ifexists('externalIp_s', ''), + FirewallEnabled=column_ifexists('firewallEnabled_b', ''), + GroupIp=column_ifexists('groupIp_s', ''), + InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''), + Infected=column_ifexists('infected_b', ''), + InstallerType=column_ifexists('installerType_s', ''), + IsActive=column_ifexists('isActive_b', ''), + IsDecommissioned=column_ifexists('isDecommissioned_b', ''), + IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''), + IsUninstalled=column_ifexists('isUninstalled_b', ''), + IsUpToDate=column_ifexists('isUpToDate_b', ''), + LastActiveDate=column_ifexists('lastActiveDate_t', ''), + LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''), + LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''), + LicenseKey=column_ifexists('licenseKey_s', ''), + LocationEnabled=column_ifexists('locationEnabled_b', ''), + LocationType=column_ifexists('locationType_s', ''), + Locations=column_ifexists('locations_s', ''), + MachineType=column_ifexists('machineType_s', ''), + MitigationMode=column_ifexists('mitigationMode_s', ''), + MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), + SrcDvcModelName=column_ifexists('modelName_s', ''), + NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), + NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), + NetworkStatus=column_ifexists('networkStatus_s', ''), + OperationalState=column_ifexists('operationalState_s', ''), + OsArch=column_ifexists('osArch_s', ''), + SrcDvcOs=column_ifexists('osName_s', ''), + OsRevision=column_ifexists('osRevision_s', ''), + OsStartTime=column_ifexists('osStartTime_t', ''), + OsType=column_ifexists('osType_s', ''), + RangerStatus=column_ifexists('rangerStatus_s', ''), + RangerVersion=column_ifexists('rangerVersion_s', ''), + RegisteredAt=column_ifexists('registeredAt_t', ''), + RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''), + ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''), + ScanStartedAt=column_ifexists('scanStartedAt_t', ''), + ScanStatus=column_ifexists('scanStatus_s', ''), + ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''), + TotalMemory=column_ifexists('totalMemory_d', ''), + UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''), + Uuid=column_ifexists('uuid_g', ''), + Creator=column_ifexists('creator_s', ''), + CreatedAt=column_ifexists('createdAt_t', ''), + CreatorId=column_ifexists('creatorId_s', ''), + Inherits=column_ifexists('inherits_b', ''), + IsDefault=column_ifexists('isDefault_b', ''), + Name=column_ifexists('name_s', ''), + RegistrationToken=column_ifexists('registrationToken_s', ''), + TotalAgents=column_ifexists('totalAgents_d', ''), + Type=column_ifexists('type_s', ''); + union isfuzzy=true + SentinelOneActivities_CL, + SentinelOneAgents_CL, + SentinelOneAlerts_CL, + SentinelOneGroups_CL, + SentinelOneThreats_CL, + SentinelOneV1Empty_Union + | extend + ActivityType, + EventVendor="SentinelOne", + EventProduct="SentinelOne", + DataAccountName=tostring(parse_json(todynamic(Data)).accountName), + DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails), + DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel), + DataScopeName=tostring(parse_json(todynamic(Data)).scopeName), + DataSiteId=tostring(parse_json(todynamic(Data)).siteId), + DataSiteName=tostring(parse_json(todynamic(Data)).siteName), + SrcUserName=tostring(parse_json(todynamic(Data)).userName), + EventId=Id, + SourceParentProcessInfo, + EventOriginalMessage=PrimaryDescription, + UserIdentity=UserId, + EventTypeDetailed=Description, + DataRuleId=tostring(parse_json(todynamic(Data)).ruleId), + DataRuleName=tostring(parse_json(todynamic(Data)).rulename), + DataScopeId=tostring(parse_json(todynamic(Data)).scopeId), + DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser), + DataUserId=tostring(parse_json(todynamic(Data)).userId), + DataUserName=tostring(parse_json(todynamic(Data)).userName), + EventSubStatus=SecondaryDescription, + DataComputerName=tostring(parse_json(todynamic(Data)).computerName), + DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp), + DataGroupName=tostring(parse_json(todynamic(Data)).groupName), + DataStatus=tostring(parse_json(todynamic(Data)).status), + DataByUser=tostring(parse_json(todynamic(Data)).byUser), + DataRole=tostring(parse_json(todynamic(Data)).role), + DataUserScope=tostring(parse_json(todynamic(Data)).userScope), + DataSource=tostring(parse_json(todynamic(Data)).source), + DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), + DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), + DataNetworkquarantine=tobool(parse_json(todynamic(Data)).networkquarantine), + DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), + DataUuid=Uuid, + DataGroup=tostring(parse_json(todynamic(Data)).group), + DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription), + EventType=tostring(parse_json(todynamic(AlertInfo)).eventType), + DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode), + DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails), + DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType), + DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity), + DataSystem=tostring(parse_json(todynamic(Data)).system), + DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups), + DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt), + DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl), + DataFilePath=tostring(parse_json(todynamic(Data)).filePath), + DataFilename=tostring(parse_json(todynamic(Data)).filename), + DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename), + DataNewValue=tostring(parse_json(todynamic(Data)).newValue), + DataPolicyId=tostring(parse_json(todynamic(Data)).policyId), + DataPolicyName : tostring(parse_json(todynamic(Data)).policyName), + DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot), + DataRoleName=tostring(parse_json(todynamic(Data)).roleName), + DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName), + ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName), + ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf), + ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), + ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), + SrcDvcDomain=Domain, + AlertInfo, + FirewallEnabled=column_ifexists('FirewallEnabled', ''), + LocationEnabled=column_ifexists('LocationEnabled', ''), + SrcDvcModelName=ModelName, + NetworkQuarantineEnabled=tobool(column_ifexists('NetworkQuarantineEnabled', '')), + SrcDvcOs=OsName, + SourceProcessInfo, + RuleInfo, + TargetProcessInfo, + ContainerInfo, + EventCreationTime=CreatedAt, + RemoteProfilingState=column_ifexists('RemoteProfilingState', '') + | project + TimeGenerated, + EventVendor, + EventProduct, + AccountName, + SourceParentProcessInfo, + TargetProcessInfo, + ActivityType, + EventCreationTime, + DataAccountName, + DataFullScopeDetails, + DataScopeLevel, + DataScopeName, + DataSiteId, + SourceProcessInfo, + DataSiteName, + SrcUserName, + EventId, + EventOriginalMessage, + SiteId, + SiteName, + UpdatedAt, + UserIdentity, + EventType, + DataByUser, + DataRole, + DataUserScope, + EventTypeDetailed, + DataSource, + DataExpiryDateStr, + DataExpiryTime, + DataNetworkquarantine, + DataRuleCreationTime, + DataRuleDescription, + DataRuleExpirationMode, + DataRuleId, + DataRuleName, + DataRuleQueryDetails, + DataRuleQueryType, + DataRuleSeverity, + DataScopeId, + DataStatus, + DataSystemUser, + DataTreatasthreat, + DataUserId, + DataUserName, + EventSubStatus, + AgentId, + DataComputerName, + DataExternalIp, + DataGroupName, + DataSystem, + DataUuid, + GroupId, + GroupName, + DataGroup, + DataOptionalGroups, + DataCreatedAt, + DataDownloadUrl, + DataFilePath, + DataFilename, + DataUploadedFilename, + Comments, + DataNewValue, + DataPolicyId, + DataPolicyName, + DataNewValueb, + DataShouldReboot, + DataRoleName, + DataScopeLevelName, + ActiveDirectoryComputerDistinguishedName, + ActiveDirectoryComputerMemberOf, + ActiveDirectoryLastUserDistinguishedName, + ActiveDirectoryLastUserMemberOf, + ActiveThreats=toreal(activeThreats_d), + AgentVersion, + AllowRemoteShell, + AppsVulnerabilityStatus, + ComputerName, + ConsoleMigrationStatus, + CoreCount=toreal(coreCount_d), + CpuCount=toreal(cpuCount_d), + CpuId, + SrcDvcDomain, + EncryptedApplications, + ExternalId, + ExternalIp, + FirewallEnabled, + GroupIp, + InRemoteShellSession, + Infected, + InstallerType, + IsActive, + IsDecommissioned, + IsPendingUninstall, + IsUninstalled, + IsUpToDate, + LastActiveDate=tostring(LastActiveDate_datetime), + LastIpToMgmt, + LastLoggedInUserName, + LicenseKey, + LocationEnabled, + LocationType, + Locations, + MachineType, + MitigationMode, + MitigationModeSuspicious, + SrcDvcModelName, + NetworkInterfaces, + NetworkQuarantineEnabled, + NetworkStatus, + OperationalState, + OsArch, + SrcDvcOs, + OsRevision, + OsStartTime, + OsType, + RangerStatus, + RangerVersion, + RegisteredAt=tostring(RegisteredAt_datetime), + RemoteProfilingState, + ScanFinishedAt=tostring(ScanFinishedAt_datetime), + ScanStartedAt=tostring(ScanStartedAt_datetime), + ScanStatus, + ThreatRebootRequired, + TotalMemory=toreal(totalMemory_d), + UserActionsNeeded, + Uuid, + Creator, + CreatorId, + Inherits, + IsDefault, + Name, + AlertInfo, + RuleInfo, + ContainerInfo, + RegistrationToken, + TotalAgents=totalAgents_d, + Type; +}; +SentinelOne_view \ No newline at end of file From f68c2068922039becc6ea04d0a15f5aed276cc58 Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 11 Dec 2024 21:04:59 +0530 Subject: [PATCH 14/22] Update SentinelOne.yaml --- .../SentinelOne/Parsers/SentinelOne.yaml | 1265 ++++++++--------- 1 file changed, 630 insertions(+), 635 deletions(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 163ce702df9..3a6b89b74b1 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -1,4 +1,4 @@ -id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 + id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 Function: Title: Parser for SentinelOne Version: '1.0.1' @@ -9,637 +9,632 @@ FunctionAlias: SentinelOne FunctionQuery: | let SentinelOne_view = view () { let SentinelOneV2_Empty = datatable( - AccountId: string, - AccountName: string, - ActivityType: real, - EventCreationTime: datetime, - DataAccountName: string, - DataFullScopeDetails: string, - DataScopeLevel: string, - DataScopeName: string, - DataSiteId: int, - SecondaryDescription: string, - DataSiteName: string, - SourceProcessInfo: string, - SrcUserName: string, - EventId: string, - EventOriginalMessage: string, - SiteId: string, - SiteName: string, - UpdatedAt: datetime, - UserIdentity: string, - EventType: string, - DataByUser: string, - DataRole: string, - DataUserScope: string, - EventTypeDetailed: string, - DataSource: string, - DataExpiryDateStr: string, - DataExpiryTime: int, - DataNetworkquarantine: bool, - DataRuleCreationTime: int, - DataRuleDescription: string, - DataRuleExpirationMode: string, - DataRuleId: int, - DataRuleName: string, - DataRuleQueryDetails: string, - DataRuleQueryType: string, - DataRuleSeverity: string, - DataScopeId: int, - DataStatus: string, - DataSystemUser: int, - DataTreatasthreat: string, - DataUserId: int, - RuleInfo: string, - DataUserName: string, - EventSubStatus: string, - AgentId: string, - DataComputerName: string, - DataExternalIp: string, - DataGroupName: string, - DataSystem: bool, - DataUuid: string, - GroupId: string, - GroupName: string, - DataGroup: string, - UserId: string, - DataOptionalGroups: string, - DataCreatedAt: string, - DataDownloadUrl: string, - DataFilePath: string, - DataFilename: string, - DataUploadedFilename: string, - Comments: string, - DataNewValue: string, - DataPolicyId: string, - DataPolicyName: string, - DataNewValueb: string, - DataShouldReboot: bool, - DataRoleName: string, - DataScopeLevelName: string, - ActiveDirectoryComputerDistinguishedName: string, - ActiveDirectoryComputerMemberOf: string, - ActiveDirectoryLastUserDistinguishedName: string, - ActiveDirectoryLastUserMemberOf: string, - ActiveThreats: int, - AgentVersion: string, - AllowRemoteShell: bool, - AppsVulnerabilityStatus: string, - ComputerName: string, - ConsoleMigrationStatus: string, - CoreCount: int, - CpuCount: int, - CpuId: string, - SrcDvcDomain: string, - EncryptedApplications: bool, - ExternalId: string, - ExternalIp: string, - FirewallEnabled: bool, - GroupIp: string, - InRemoteShellSession: bool, - Infected: bool, - InstallerType: string, - IsActive: bool, - IsDecommissioned: bool, - IsPendingUninstall: bool, - IsUninstalled: bool, - IsUpToDate: bool, - LastActiveDate: string, - TargetProcessInfo: string, - LastIpToMgmt: string, - LastLoggedInUserName: string, - LicenseKey: string, - LocationEnabled: bool, - LocationType: string, - Locations: string, - MachineType: string, - MitigationMode: string, - MitigationModeSuspicious: string, - SrcDvcModelName: string, - NetworkInterfaces: string, - NetworkQuarantineEnabled: bool, - NetworkStatus: string, - OperationalState: string, - OsArch: string, - SrcDvcOs: string, - OsRevision: string, - OsStartTime: datetime, - OsType: string, - RangerStatus: string, - RangerVersion: string, - RegisteredAt: string, - RemoteProfilingState: string, - ScanFinishedAt: string, - ScanStartedAt: string, - ScanStatus: string, - ThreatRebootRequired: bool, - TotalMemory: int, - SourceParentProcessInfo: string, - UserActionsNeeded: string, - Uuid: string, - Creator: string, - ContainerInfo: string, - CreatorId: string, - Inherits: string, - IsDefault: string, - Name: string, - RegistrationToken: string, - AlertInfo: string, - PrimaryDescription: string, - TotalAgents: real, - CreatedAt: datetime, - Id: string, - Type: string -)[]; - let SentinelOneV1_Empty = datatable ( - accountId_s: string, - accountName_s: string, - activityType_d: real, - createdAt_t: datetime, - data_accountName_s: string, - data_fullScopeDetails_s: string, - data_scopeLevel_s: string, - data_scopeName_s: string, - data_siteId_d: int, - data_siteName_s: string, - data_username_s: string, - id_s: string, - primaryDescription_s: string, - siteId_s: string, - siteName_s: string, - updatedAt_t: datetime, - userId_s: string, - event_name_s: string, - data_byUser_s: string, - data_role_s: string, - data_userScope_s: string, - description_s: string, - data_source_s: string, - data_expiryDateStr_s: string, - data_expiryTime_d: int, - data_networkquarantine_b: bool, - data_ruleCreationTime_d: int, - data_ruleDescription_s: string, - data_ruleExpirationMode_s: string, - data_ruleId_d: int, - data_ruleName_s: string, - data_ruleQueryDetails_s: string, - data_ruleQueryType_s: string, - data_ruleSeverity_s: string, - data_scopeId_d: int, - data_status_s: string, - data_systemUser_d: int, - data_treatasthreat_s: string, - data_userId_d: int, - data_userName_s: string - secondaryDescription_s: string, - agentId_s: string, - data_computerName_s: string, - data_externalIp_s: string, - data_groupName_s: string, - data_system_b: bool, - data_uuid_g: string, - groupId_s: string, - groupName_s: string, - data_group_s: string, - data_optionalGroups_s: string, - data_createdAt_t: string, - data_downloadUrl_s: string, - data_filePath_s: string, - data_filename_s: string, - data_uploadedFilename_s: string, - comments_s: string, - data_newValue_s: string, - data_policy_id_s: string, - data_policyName_s: string, - data_newValue_b: bool, - data_shouldReboot_b: bool, - data_roleName_s: string, - data_scopeLevelName_s: string, - activeDirectory_computerDistinguishedName_s: string, - activeDirectory_computerMemberOf_s: string, - activeDirectory_lastUserDistinguishedName_s: string, - activeDirectory_lastUserMemberOf_s: string, - activeThreats_d: real, - agentVersion_s: string, - allowRemoteShell_b: bool, - appsVulnerabilityStatus_s: string, - computerName_s: string, - consoleMigrationStatus_s: string, - coreCount_d: real, - cpuCount_d: real, - cpuId_s: string, - domain_s: string, - encryptedApplications_b: bool, - externalId_s: string, - externalIp_s: string, - firewallEnabled_b: bool, - groupIp_s: string, - inRemoteShellSession_b: bool, - infected_b: bool, - installerType_s: string, - isActive_b: bool, - isDecommissioned_b: bool, - isPendingUninstall_b: bool, - isUninstalled_b: bool, - isUpToDate_b: bool, - lastActiveDate_t: string, - lastIpToMgmt_s: string, - lastLoggedInUserName_s: string, - licenseKey_s: string, - locationEnabled_b: bool, - locationType_s: string, - locations_s: string, - machineType_s: string, - mitigationMode_s: string, - mitigationModeSuspicious_s: string, - modelName_s: string, - networkInterfaces_s: string, - networkQuarantineEnabled_b: bool, - networkStatus_s: string, - operationalState_s: string, - osArch_s: string, - osName_s: string, - osRevision_s: string, - osStartTime_t: datetime, - osType_s: string, - rangerStatus_s: string, - rangerVersion_s: string, - registeredAt_t: string, - remoteProfilingState_s: string, - scanFinishedAt_t: string, - scanStartedAt_t: string, - scanStatus_s: string, - threatRebootRequired_b: bool, - totalMemory_d: real, - userActionsNeeded_s: string, - uuid_g: string, - creator_s: string, - creatorId_s: string, - inherits_b: string, - isDefault_b: string, - name_s: string, - registrationToken_s: string, - totalAgents_d: real, - type_s: string -)[]; - let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL, SentinelOneV1_Empty - | extend - EventVendor="SentinelOne", - EventProduct="SentinelOne", - AccountId=column_ifexists('accountId_s', ''), - AccountName=column_ifexists('accountName_s', ''), - ActivityType=toreal(column_ifexists('activityType_d', '')), - EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')), - DataAccountName=column_ifexists('data_accountName_s', ''), - DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''), - DataScopeLevel=column_ifexists('data_scopeLevel_s', ''), - DataScopeName=column_ifexists('data_scopeName_s', ''), - DataSiteId=column_ifexists('data_siteId_d', ''), - DataSiteName=column_ifexists('data_siteName_s', ''), - SrcUserName=column_ifexists('data_username_s', ''), - EventId=column_ifexists('id_s', ''), - EventOriginalMessage=column_ifexists('primaryDescription_s', ''), - PrimaryDescription=column_ifexists('primaryDescription_s', ''), - SiteId=column_ifexists('siteId_s', ''), - SiteName=column_ifexists('siteName_s', ''), - UpdatedAt=column_ifexists('updatedAt_t', ''), - UserIdentity=column_ifexists('userId_s', ''), - UserId=column_ifexists('userId_s', ''), - EventType=column_ifexists('event_name_s', ''), - DataByUser=column_ifexists('data_byUser_s', ''), - DataRole=column_ifexists('data_role_s', ''), - DataUserScope=column_ifexists('data_userScope_s', ''), - EventTypeDetailed=column_ifexists('description_s', ''), - DataSource=column_ifexists('data_source_s', ''), - DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), - DataExpiryTime=column_ifexists('data_expiryTime_d', ''), - DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), - DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), - DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), - DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), - DataRuleId=column_ifexists('data_ruleId_d', ''), - DataRuleName=column_ifexists('data_ruleName_s', ''), - DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''), - DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''), - DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''), - DataScopeId=column_ifexists('data_scopeId_d', ''), - Id=column_ifexists('id_s', ''), - DataStatus=column_ifexists('data_status_s', ''), - DataSystemUser=column_ifexists('data_systemUser_d', ''), - DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''), - DataUserId=column_ifexists('data_userId_d', ''), - DataUserName=column_ifexists('data_userName_s', ''), - EventSubStatus=column_ifexists('secondaryDescription_s', ''), - SecondaryDescription=column_ifexists('secondaryDescription_s', ''), - AgentId=column_ifexists('agentId_s', ''), - DataComputerName=column_ifexists('data_computerName_s', ''), - DataExternalIp=column_ifexists('data_externalIp_s', ''), - DataGroupName=column_ifexists('data_groupName_s', ''), - DataSystem=column_ifexists('data_system_b', ''), - DataUuid=column_ifexists('data_uuid_g', ''), - GroupId=column_ifexists('groupId_s', ''), - GroupName=column_ifexists('groupName_s', ''), - DataGroup=column_ifexists('data_group_s', ''), - DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''), - DataCreatedAt=column_ifexists('data_createdAt_t', ''), - DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''), - DataFilePath=column_ifexists('data_filePath_s', ''), - DataFilename=column_ifexists('data_filename_s', ''), - DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''), - Comments=column_ifexists('comments_s', ''), - DataNewValue=column_ifexists('data_newValue_s', ''), - DataPolicyId=column_ifexists('data_policy_id_s', ''), - DataPolicyName=column_ifexists('data_policyName_s', ''), - DataNewValueb=column_ifexists('data_newValue_b', ''), - DataShouldReboot=column_ifexists('data_shouldReboot_b', ''), - DataRoleName=column_ifexists('data_roleName_s', ''), - DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''), - ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''), - ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''), - ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''), - ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''), - ActiveThreats=column_ifexists('activeThreats_d', ''), - AgentVersion=column_ifexists('agentVersion_s', ''), - AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''), - AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''), - ComputerName=column_ifexists('computerName_s', ''), - ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''), - CoreCount=column_ifexists('coreCount_d', ''), - CpuCount=column_ifexists('cpuCount_d', ''), - CpuId=column_ifexists('cpuId_s', ''), - SrcDvcDomain=column_ifexists('domain_s', ''), - EncryptedApplications=column_ifexists('encryptedApplications_b', ''), - ExternalId=column_ifexists('externalId_s', ''), - ExternalIp=column_ifexists('externalIp_s', ''), - FirewallEnabled=column_ifexists('firewallEnabled_b', ''), - GroupIp=column_ifexists('groupIp_s', ''), - InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''), - Infected=column_ifexists('infected_b', ''), - InstallerType=column_ifexists('installerType_s', ''), - IsActive=column_ifexists('isActive_b', ''), - IsDecommissioned=column_ifexists('isDecommissioned_b', ''), - IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''), - IsUninstalled=column_ifexists('isUninstalled_b', ''), - IsUpToDate=column_ifexists('isUpToDate_b', ''), - LastActiveDate=column_ifexists('lastActiveDate_t', ''), - LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''), - LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''), - LicenseKey=column_ifexists('licenseKey_s', ''), - LocationEnabled=column_ifexists('locationEnabled_b', ''), - LocationType=column_ifexists('locationType_s', ''), - Locations=column_ifexists('locations_s', ''), - MachineType=column_ifexists('machineType_s', ''), - MitigationMode=column_ifexists('mitigationMode_s', ''), - MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), - SrcDvcModelName=column_ifexists('modelName_s', ''), - NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), - NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), - NetworkStatus=column_ifexists('networkStatus_s', ''), - OperationalState=column_ifexists('operationalState_s', ''), - OsArch=column_ifexists('osArch_s', ''), - SrcDvcOs=column_ifexists('osName_s', ''), - OsRevision=column_ifexists('osRevision_s', ''), - OsStartTime=column_ifexists('osStartTime_t', ''), - OsType=column_ifexists('osType_s', ''), - RangerStatus=column_ifexists('rangerStatus_s', ''), - RangerVersion=column_ifexists('rangerVersion_s', ''), - RegisteredAt=column_ifexists('registeredAt_t', ''), - RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''), - ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''), - ScanStartedAt=column_ifexists('scanStartedAt_t', ''), - ScanStatus=column_ifexists('scanStatus_s', ''), - ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''), - TotalMemory=column_ifexists('totalMemory_d', ''), - UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''), - Uuid=column_ifexists('uuid_g', ''), - Creator=column_ifexists('creator_s', ''), - CreatedAt=column_ifexists('createdAt_t', ''), - CreatorId=column_ifexists('creatorId_s', ''), - Inherits=column_ifexists('inherits_b', ''), - IsDefault=column_ifexists('isDefault_b', ''), - Name=column_ifexists('name_s', ''), - RegistrationToken=column_ifexists('registrationToken_s', ''), - TotalAgents=column_ifexists('totalAgents_d', ''), - Type=column_ifexists('type_s', ''); - union isfuzzy=true - SentinelOneActivities_CL, - SentinelOneAgents_CL, - SentinelOneAlerts_CL, - SentinelOneGroups_CL, - SentinelOneThreats_CL, - SentinelOneV1Empty_Union - | extend - ActivityType, - EventVendor="SentinelOne", - EventProduct="SentinelOne", - DataAccountName=tostring(parse_json(todynamic(Data)).accountName), - DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails), - DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel), - DataScopeName=tostring(parse_json(todynamic(Data)).scopeName), - DataSiteId=tostring(parse_json(todynamic(Data)).siteId), - DataSiteName=tostring(parse_json(todynamic(Data)).siteName), - SrcUserName=tostring(parse_json(todynamic(Data)).userName), - EventId=Id, - SourceParentProcessInfo, - EventOriginalMessage=PrimaryDescription, - UserIdentity=UserId, - EventTypeDetailed=Description, - DataRuleId=tostring(parse_json(todynamic(Data)).ruleId), - DataRuleName=tostring(parse_json(todynamic(Data)).rulename), - DataScopeId=tostring(parse_json(todynamic(Data)).scopeId), - DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser), - DataUserId=tostring(parse_json(todynamic(Data)).userId), - DataUserName=tostring(parse_json(todynamic(Data)).userName), - EventSubStatus=SecondaryDescription, - DataComputerName=tostring(parse_json(todynamic(Data)).computerName), - DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp), - DataGroupName=tostring(parse_json(todynamic(Data)).groupName), - DataStatus=tostring(parse_json(todynamic(Data)).status), - DataByUser=tostring(parse_json(todynamic(Data)).byUser), - DataRole=tostring(parse_json(todynamic(Data)).role), - DataUserScope=tostring(parse_json(todynamic(Data)).userScope), - DataSource=tostring(parse_json(todynamic(Data)).source), - DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), - DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), - DataNetworkquarantine=tobool(parse_json(todynamic(Data)).networkquarantine), - DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), - DataUuid=Uuid, - DataGroup=tostring(parse_json(todynamic(Data)).group), - DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription), - EventType=tostring(parse_json(todynamic(AlertInfo)).eventType), - DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode), - DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails), - DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType), - DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity), - DataSystem=tostring(parse_json(todynamic(Data)).system), - DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups), - DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt), - DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl), - DataFilePath=tostring(parse_json(todynamic(Data)).filePath), - DataFilename=tostring(parse_json(todynamic(Data)).filename), - DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename), - DataNewValue=tostring(parse_json(todynamic(Data)).newValue), - DataPolicyId=tostring(parse_json(todynamic(Data)).policyId), - DataPolicyName : tostring(parse_json(todynamic(Data)).policyName), - DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot), - DataRoleName=tostring(parse_json(todynamic(Data)).roleName), - DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName), - ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName), - ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf), - ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), - ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), - SrcDvcDomain=Domain, - AlertInfo, - FirewallEnabled=column_ifexists('FirewallEnabled', ''), - LocationEnabled=column_ifexists('LocationEnabled', ''), - SrcDvcModelName=ModelName, - NetworkQuarantineEnabled=tobool(column_ifexists('NetworkQuarantineEnabled', '')), - SrcDvcOs=OsName, - SourceProcessInfo, - RuleInfo, - TargetProcessInfo, - ContainerInfo, - EventCreationTime=CreatedAt, - RemoteProfilingState=column_ifexists('RemoteProfilingState', '') - | project - TimeGenerated, - EventVendor, - EventProduct, - AccountName, - SourceParentProcessInfo, - TargetProcessInfo, - ActivityType, - EventCreationTime, - DataAccountName, - DataFullScopeDetails, - DataScopeLevel, - DataScopeName, - DataSiteId, - SourceProcessInfo, - DataSiteName, - SrcUserName, - EventId, - EventOriginalMessage, - SiteId, - SiteName, - UpdatedAt, - UserIdentity, - EventType, - DataByUser, - DataRole, - DataUserScope, - EventTypeDetailed, - DataSource, - DataExpiryDateStr, - DataExpiryTime, - DataNetworkquarantine, - DataRuleCreationTime, - DataRuleDescription, - DataRuleExpirationMode, - DataRuleId, - DataRuleName, - DataRuleQueryDetails, - DataRuleQueryType, - DataRuleSeverity, - DataScopeId, - DataStatus, - DataSystemUser, - DataTreatasthreat, - DataUserId, - DataUserName, - EventSubStatus, - AgentId, - DataComputerName, - DataExternalIp, - DataGroupName, - DataSystem, - DataUuid, - GroupId, - GroupName, - DataGroup, - DataOptionalGroups, - DataCreatedAt, - DataDownloadUrl, - DataFilePath, - DataFilename, - DataUploadedFilename, - Comments, - DataNewValue, - DataPolicyId, - DataPolicyName, - DataNewValueb, - DataShouldReboot, - DataRoleName, - DataScopeLevelName, - ActiveDirectoryComputerDistinguishedName, - ActiveDirectoryComputerMemberOf, - ActiveDirectoryLastUserDistinguishedName, - ActiveDirectoryLastUserMemberOf, - ActiveThreats=toreal(activeThreats_d), - AgentVersion, - AllowRemoteShell, - AppsVulnerabilityStatus, - ComputerName, - ConsoleMigrationStatus, - CoreCount=toreal(coreCount_d), - CpuCount=toreal(cpuCount_d), - CpuId, - SrcDvcDomain, - EncryptedApplications, - ExternalId, - ExternalIp, - FirewallEnabled, - GroupIp, - InRemoteShellSession, - Infected, - InstallerType, - IsActive, - IsDecommissioned, - IsPendingUninstall, - IsUninstalled, - IsUpToDate, - LastActiveDate=tostring(LastActiveDate_datetime), - LastIpToMgmt, - LastLoggedInUserName, - LicenseKey, - LocationEnabled, - LocationType, - Locations, - MachineType, - MitigationMode, - MitigationModeSuspicious, - SrcDvcModelName, - NetworkInterfaces, - NetworkQuarantineEnabled, - NetworkStatus, - OperationalState, - OsArch, - SrcDvcOs, - OsRevision, - OsStartTime, - OsType, - RangerStatus, - RangerVersion, - RegisteredAt=tostring(RegisteredAt_datetime), - RemoteProfilingState, - ScanFinishedAt=tostring(ScanFinishedAt_datetime), - ScanStartedAt=tostring(ScanStartedAt_datetime), - ScanStatus, - ThreatRebootRequired, - TotalMemory=toreal(totalMemory_d), - UserActionsNeeded, - Uuid, - Creator, - CreatorId, - Inherits, - IsDefault, - Name, - AlertInfo, - RuleInfo, - ContainerInfo, - RegistrationToken, - TotalAgents=totalAgents_d, - Type; -}; -SentinelOne_view \ No newline at end of file + AccountId:string, + AccountName:string, + ActivityType:real , + EventCreationTime:datetime, + DataAccountName:string, + DataFullScopeDetails:string, + DataScopeLevel:string, + DataScopeName:string, + DataSiteId:int, + SecondaryDescription:string , + DataSiteName:string, + SourceProcessInfo:string, + SrcUserName:string, + EventId:string, + EventOriginalMessage:string, + SiteId:string, + SiteName:string, + UpdatedAt:datetime , + UserIdentity:string, + EventType:string, + DataByUser:string, + DataRole:string, + DataUserScope:string, + EventTypeDetailed:string, + DataSource:string, + DataExpiryDateStr:string, + DataExpiryTime:int, + DataNetworkquarantine:bool, + DataRuleCreationTime:int, + DataRuleDescription:string, + DataRuleExpirationMode:string, + DataRuleId:int, + DataRuleName:string, + DataRuleQueryDetails:string, + DataRuleQueryType:string, + DataRuleSeverity:string, + DataScopeId:int, + DataStatus:string, + DataSystemUser:int, + DataTreatasthreat:string, + DataUserId:int, + RuleInfo:string, + DataUserName:string, + EventSubStatus:string, + AgentId:string, + DataComputerName:string, + DataExternalIp:string, + DataGroupName:string, + DataSystem:bool, + DataUuid:string, + GroupId:string, + GroupName:string, + DataGroup:string, + UserId:string , + DataOptionalGroups:string, + DataCreatedAt:string, + DataDownloadUrl:string, + DataFilePath:string, + DataFilename:string, + DataUploadedFilename:string, + Comments:string, + DataNewValue:string, + DataPolicyId:string, + DataPolicyName:string, + DataNewValueb:string, + DataShouldReboot:bool, + DataRoleName:string, + DataScopeLevelName:string, + ActiveDirectoryComputerDistinguishedName:string, + ActiveDirectoryComputerMemberOf:string, + ActiveDirectoryLastUserDistinguishedName:string, + ActiveDirectoryLastUserMemberOf:string, + ActiveThreats:int, + AgentVersion:string, + AllowRemoteShell:bool, + AppsVulnerabilityStatus:string, + ComputerName:string, + ConsoleMigrationStatus:string, + CoreCount:int, + CpuCount:int, + CpuId:string, + SrcDvcDomain:string, + EncryptedApplications:bool, + ExternalId:string, + ExternalIp:string, + FirewallEnabled:bool, + GroupIp:string, + InRemoteShellSession:bool, + Infected:bool, + InstallerType:string, + IsActive:bool, + IsDecommissioned:bool, + IsPendingUninstall:bool, + IsUninstalled:bool, + IsUpToDate:bool, + LastActiveDate:string, + TargetProcessInfo:string , + LastIpToMgmt:string, + LastLoggedInUserName:string, + LicenseKey:string, + LocationEnabled:bool, + LocationType:string, + Locations:string, + MachineType:string, + MitigationMode:string, + MitigationModeSuspicious:string, + SrcDvcModelName:string, + NetworkInterfaces:string, + NetworkQuarantineEnabled:bool, + NetworkStatus:string, + OperationalState:string, + OsArch:string, + SrcDvcOs:string, + OsRevision:string, + OsStartTime:datetime , + OsType:string, + RangerStatus:string, + RangerVersion:string, + RegisteredAt:string, + RemoteProfilingState:string, + ScanFinishedAt:string, + ScanStartedAt:string, + ScanStatus:string, + ThreatRebootRequired:bool, + TotalMemory:int, + SourceParentProcessInfo:string , + UserActionsNeeded:string, + Uuid:string, + Creator:string, + ContainerInfo:string, + CreatorId:string, + Inherits:string , + IsDefault:string , + Name:string, + RegistrationToken:string, + AlertInfo:string, + PrimaryDescription:string , + TotalAgents:real , + CreatedAt:datetime , + Id:string, + Type:string + )[]; + let SentinelOneV1_Empty = datatable ( + accountId_s:string, + accountName_s:string, + activityType_d:real, + createdAt_t:datetime , + data_accountName_s:string, + data_fullScopeDetails_s:string, + data_scopeLevel_s:string, + data_scopeName_s:string, + data_siteId_d:int, + data_siteName_s:string, + data_username_s:string, + id_s:string, + primaryDescription_s:string, + siteId_s:string, + siteName_s:string, + updatedAt_t:datetime , + userId_s:string, + event_name_s:string, + data_byUser_s:string, + data_role_s:string, + data_userScope_s:string, + description_s:string, + data_source_s:string, + data_expiryDateStr_s:string, + data_expiryTime_d:int, + data_networkquarantine_b:bool, + data_ruleCreationTime_d:int, + data_ruleDescription_s:string, + data_ruleExpirationMode_s:string, + data_ruleId_d:int, + data_ruleName_s:string, + data_ruleQueryDetails_s:string, + data_ruleQueryType_s:string, + data_ruleSeverity_s:string, + data_scopeId_d:int, + data_status_s:string, + data_systemUser_d:int, + data_treatasthreat_s:string, + data_userId_d:int, + data_userName_s:string, + secondaryDescription_s:string, + agentId_s:string, + data_computerName_s:string, + data_externalIp_s:string, + data_groupName_s:string, + data_system_b:bool, + data_uuid_g:string, + groupId_s:string, + groupName_s:string, + data_group_s:string, + data_optionalGroups_s:string, + data_createdAt_t:string, + data_downloadUrl_s:string, + data_filePath_s:string, + data_filename_s:string, + data_uploadedFilename_s:string, + comments_s:string, + data_newValue_s:string, + data_policy_id_s:string, + data_policyName_s:string, + data_newValue_b:bool, + data_shouldReboot_b:bool, + data_roleName_s:string, + data_scopeLevelName_s:string, + activeDirectory_computerDistinguishedName_s:string, + activeDirectory_computerMemberOf_s:string, + activeDirectory_lastUserDistinguishedName_s:string, + activeDirectory_lastUserMemberOf_s:string, + activeThreats_d:real, + agentVersion_s:string, + allowRemoteShell_b:bool, + appsVulnerabilityStatus_s:string, + computerName_s:string, + consoleMigrationStatus_s:string, + coreCount_d:real, + cpuCount_d:real , + cpuId_s:string, + domain_s:string, + encryptedApplications_b:bool, + externalId_s:string, + externalIp_s:string, + firewallEnabled_b:bool, + groupIp_s:string, + inRemoteShellSession_b:bool, + infected_b:bool, + installerType_s:string, + isActive_b:bool, + isDecommissioned_b:bool, + isPendingUninstall_b:bool, + isUninstalled_b:bool, + isUpToDate_b:bool, + lastActiveDate_t:string, + lastIpToMgmt_s:string, + lastLoggedInUserName_s:string, + licenseKey_s:string, + locationEnabled_b:bool, + locationType_s:string, + locations_s:string, + machineType_s:string, + mitigationMode_s:string, + mitigationModeSuspicious_s:string, + modelName_s:string, + networkInterfaces_s:string, + networkQuarantineEnabled_b:bool, + networkStatus_s:string, + operationalState_s:string, + osArch_s:string, + osName_s:string, + osRevision_s:string, + osStartTime_t:datetime , + osType_s:string, + rangerStatus_s:string, + rangerVersion_s:string, + registeredAt_t:string, + remoteProfilingState_s:string, + scanFinishedAt_t:string, + scanStartedAt_t:string, + scanStatus_s:string, + threatRebootRequired_b:bool, + totalMemory_d:real , + userActionsNeeded_s:string, + uuid_g:string, + creator_s:string, + creatorId_s:string, + inherits_b:string , + isDefault_b:string , + name_s:string, + registrationToken_s:string, + totalAgents_d:real , + AlertInfo:string, + type_s:string + )[]; + let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty + | extend + EventVendor="SentinelOne", + EventProduct="SentinelOne", + AccountId=column_ifexists('accountId_s', ''), + AccountName=column_ifexists('accountName_s', ''), + ActivityType=toreal(column_ifexists('activityType_d', '')), + EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')), + DataAccountName=column_ifexists('data_accountName_s', ''), + DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''), + DataScopeLevel=column_ifexists('data_scopeLevel_s', ''), + DataScopeName=column_ifexists('data_scopeName_s', ''), + DataSiteId=column_ifexists('data_siteId_d', ''), + DataSiteName=column_ifexists('data_siteName_s', ''), + SrcUserName=column_ifexists('data_username_s', ''), + EventId=column_ifexists('id_s', ''), + EventOriginalMessage=column_ifexists('primaryDescription_s', ''), + PrimaryDescription=column_ifexists('primaryDescription_s', ''), + SiteId=column_ifexists('siteId_s', ''), + SiteName=column_ifexists('siteName_s', ''), + UpdatedAt=column_ifexists('updatedAt_t', ''), + UserIdentity=column_ifexists('userId_s', ''), + UserId=column_ifexists('userId_s', ''), + EventType=column_ifexists('event_name_s', ''), + DataByUser=column_ifexists('data_byUser_s', ''), + DataRole=column_ifexists('data_role_s', ''), + DataUserScope=column_ifexists('data_userScope_s', ''), + EventTypeDetailed=column_ifexists('description_s', ''), + DataSource=column_ifexists('data_source_s', ''), + DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''), + DataExpiryTime=column_ifexists('data_expiryTime_d', ''), + DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''), + DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''), + DataRuleDescription=column_ifexists('data_ruleDescription_s', ''), + DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''), + DataRuleId=column_ifexists('data_ruleId_d', ''), + DataRuleName=column_ifexists('data_ruleName_s', ''), + DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''), + DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''), + DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''), + DataScopeId=column_ifexists('data_scopeId_d', ''), + Id=column_ifexists('id_s', ''), + DataStatus=column_ifexists('data_status_s', ''), + DataSystemUser=column_ifexists('data_systemUser_d', ''), + DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''), + DataUserId=column_ifexists('data_userId_d', ''), + DataUserName=column_ifexists('data_userName_s', ''), + EventSubStatus=column_ifexists('secondaryDescription_s', ''), + SecondaryDescription=column_ifexists('secondaryDescription_s', ''), + AgentId=column_ifexists('agentId_s', ''), + DataComputerName=column_ifexists('data_computerName_s', ''), + DataExternalIp=column_ifexists('data_externalIp_s', ''), + DataGroupName=column_ifexists('data_groupName_s', ''), + DataSystem=column_ifexists('data_system_b', ''), + DataUuid=column_ifexists('data_uuid_g', ''), + GroupId=column_ifexists('groupId_s', ''), + GroupName=column_ifexists('groupName_s', ''), + DataGroup=column_ifexists('data_group_s', ''), + DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''), + DataCreatedAt=column_ifexists('data_createdAt_t', ''), + DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''), + DataFilePath=column_ifexists('data_filePath_s', ''), + DataFilename=column_ifexists('data_filename_s', ''), + DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''), + Comments=column_ifexists('comments_s', ''), + DataNewValue=column_ifexists('data_newValue_s', ''), + DataPolicyId=column_ifexists('data_policy_id_s', ''), + DataPolicyName=column_ifexists('data_policyName_s', ''), + DataNewValueb=column_ifexists('data_newValue_b', ''), + DataShouldReboot=column_ifexists('data_shouldReboot_b', ''), + DataRoleName=column_ifexists('data_roleName_s', ''), + DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''), + ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''), + ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''), + ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''), + ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''), + ActiveThreats=column_ifexists('activeThreats_d', ''), + AgentVersion=column_ifexists('agentVersion_s', ''), + AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''), + AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''), + ComputerName=column_ifexists('computerName_s', ''), + ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''), + CoreCount=column_ifexists('coreCount_d', ''), + CpuCount=column_ifexists('cpuCount_d', ''), + CpuId=column_ifexists('cpuId_s', ''), + SrcDvcDomain=column_ifexists('domain_s', ''), + EncryptedApplications=column_ifexists('encryptedApplications_b', ''), + ExternalId=column_ifexists('externalId_s', ''), + ExternalIp=column_ifexists('externalIp_s', ''), + FirewallEnabled=column_ifexists('firewallEnabled_b', ''), + GroupIp=column_ifexists('groupIp_s', ''), + InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''), + Infected=column_ifexists('infected_b', ''), + InstallerType=column_ifexists('installerType_s', ''), + IsActive=column_ifexists('isActive_b', ''), + IsDecommissioned=column_ifexists('isDecommissioned_b', ''), + IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''), + IsUninstalled=column_ifexists('isUninstalled_b', ''), + IsUpToDate=column_ifexists('isUpToDate_b', ''), + LastActiveDate=column_ifexists('lastActiveDate_t', ''), + LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''), + LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''), + LicenseKey=column_ifexists('licenseKey_s', ''), + LocationEnabled=column_ifexists('locationEnabled_b', ''), + LocationType=column_ifexists('locationType_s', ''), + Locations=column_ifexists('locations_s', ''), + MachineType=column_ifexists('machineType_s', ''), + MitigationMode=column_ifexists('mitigationMode_s', ''), + MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''), + SrcDvcModelName=column_ifexists('modelName_s', ''), + NetworkInterfaces=column_ifexists('networkInterfaces_s', ''), + NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''), + NetworkStatus=column_ifexists('networkStatus_s', ''), + OperationalState=column_ifexists('operationalState_s', ''), + OsArch=column_ifexists('osArch_s', ''), + SrcDvcOs=column_ifexists('osName_s', ''), + OsRevision=column_ifexists('osRevision_s', ''), + OsStartTime=column_ifexists('osStartTime_t', ''), + OsType=column_ifexists('osType_s', ''), + RangerStatus=column_ifexists('rangerStatus_s', ''), + RangerVersion=column_ifexists('rangerVersion_s', ''), + RegisteredAt=column_ifexists('registeredAt_t', ''), + RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''), + ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''), + ScanStartedAt=column_ifexists('scanStartedAt_t', ''), + ScanStatus=column_ifexists('scanStatus_s', ''), + ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''), + TotalMemory=column_ifexists('totalMemory_d', ''), + UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''), + Uuid=column_ifexists('uuid_g', ''), + Creator=column_ifexists('creator_s', ''), + CreatedAt=column_ifexists('createdAt_t',''), + CreatorId=column_ifexists('creatorId_s', ''), + Inherits=column_ifexists('inherits_b', ''), + IsDefault=column_ifexists('isDefault_b', ''), + Name=column_ifexists('name_s', ''), + RegistrationToken=column_ifexists('registrationToken_s', ''), + TotalAgents=column_ifexists('totalAgents_d', ''), + Type=column_ifexists('type_s', ''); + union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union + | extend + ActivityType, + EventVendor="SentinelOne", + EventProduct="SentinelOne", + DataAccountName=tostring(parse_json(todynamic(Data)).accountName), + DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails), + DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel), + DataScopeName=tostring(parse_json(todynamic(Data)).scopeName), + DataSiteId=tostring(parse_json(todynamic(Data)).siteId), + DataSiteName=tostring(parse_json(todynamic(Data)).siteName), + SrcUserName=tostring(parse_json(todynamic(Data)).userName), + EventId=Id, + SourceParentProcessInfo, + EventOriginalMessage=PrimaryDescription, + UserIdentity=UserId, + EventTypeDetailed=Description, + DataRuleId=tostring(parse_json(todynamic(Data)).ruleId), + DataRuleName=tostring(parse_json(todynamic(Data)).rulename), + DataScopeId=tostring(parse_json(todynamic(Data)).scopeId), + DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser), + DataUserId=tostring(parse_json(todynamic(Data)).userId), + DataUserName=tostring(parse_json(todynamic(Data)).userName), + EventSubStatus=SecondaryDescription, + DataComputerName=tostring(parse_json(todynamic(Data)).computerName), + DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp), + DataGroupName=tostring(parse_json(todynamic(Data)).groupName), + DataStatus=tostring(parse_json(todynamic(Data)).status), + DataByUser=tostring(parse_json(todynamic(Data)).byUser), + DataRole=tostring(parse_json(todynamic(Data)).role), + DataUserScope=tostring(parse_json(todynamic(Data)).userScope), + DataSource=tostring(parse_json(todynamic(Data)).source), + DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr), + DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime), + DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine), + DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime), + DataUuid=Uuid, + DataGroup=tostring(parse_json(todynamic(Data)).group), + DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription), + EventType=tostring(parse_json(todynamic(AlertInfo)).eventType), + DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode), + DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails), + DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType), + DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity), + DataSystem=tostring(parse_json(todynamic(Data)).system), + DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups), + DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt), + DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl), + DataFilePath=tostring(parse_json(todynamic(Data)).filePath), + DataFilename=tostring(parse_json(todynamic(Data)).filename), + DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename), + DataNewValue=tostring(parse_json(todynamic(Data)).newValue), + DataPolicyId=tostring(parse_json(todynamic(Data)).policyId), + DataPolicyName=tostring(parse_json(todynamic(Data)).policyName), + DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot), + DataRoleName=tostring(parse_json(todynamic(Data)).roleName), + DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName), + ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName), + ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf), + ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName), + ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf), + SrcDvcDomain=Domain, + AlertInfo=tostring(AlertInfo), + FirewallEnabled=column_ifexists('FirewallEnabled',''), + LocationEnabled=column_ifexists('LocationEnabled',''), + SrcDvcModelName=ModelName, + NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''), + SrcDvcOs=OsName, + SourceProcessInfo, + RuleInfo, + TargetProcessInfo, + ContainerInfo, + EventCreationTime=CreatedAt, + RemoteProfilingState=column_ifexists('RemoteProfilingState','') + | project + TimeGenerated, + EventVendor, + EventProduct, + AccountName, + SourceParentProcessInfo, + TargetProcessInfo, + ActivityType, + EventCreationTime, + DataAccountName, + DataFullScopeDetails, + DataScopeLevel, + DataScopeName, + DataSiteId, + SourceProcessInfo, + DataSiteName, + SrcUserName, + EventId, + EventOriginalMessage, + SiteId, + SiteName, + UpdatedAt, + UserIdentity, + EventType, + DataByUser, + DataRole, + DataUserScope, + EventTypeDetailed, + DataSource, + DataExpiryDateStr, + DataExpiryTime, + DataNetworkquarantine, + DataRuleCreationTime, + DataRuleDescription, + DataRuleExpirationMode, + DataRuleId, + DataRuleName, + DataRuleQueryDetails, + DataRuleQueryType, + DataRuleSeverity, + DataScopeId, + DataStatus, + DataSystemUser, + DataTreatasthreat, + DataUserId, + DataUserName, + EventSubStatus, + AgentId, + DataComputerName, + DataExternalIp, + DataGroupName, + DataSystem, + DataUuid, + GroupId, + GroupName, + DataGroup, + DataOptionalGroups, + DataCreatedAt, + DataDownloadUrl, + DataFilePath, + DataFilename, + DataUploadedFilename, + Comments, + DataNewValue, + DataPolicyId, + DataPolicyName, + DataNewValueb, + DataShouldReboot, + DataRoleName, + DataScopeLevelName, + ActiveDirectoryComputerDistinguishedName, + ActiveDirectoryComputerMemberOf, + ActiveDirectoryLastUserDistinguishedName, + ActiveDirectoryLastUserMemberOf, + ActiveThreats=toreal(activeThreats_d), + AgentVersion, + AllowRemoteShell, + AppsVulnerabilityStatus, + ComputerName, + ConsoleMigrationStatus, + CoreCount=toreal(coreCount_d), + CpuCount=toreal(cpuCount_d), + CpuId, + SrcDvcDomain, + EncryptedApplications, + ExternalId, + ExternalIp, + FirewallEnabled, + GroupIp, + InRemoteShellSession, + Infected, + InstallerType, + IsActive, + IsDecommissioned, + IsPendingUninstall, + IsUninstalled, + IsUpToDate, + LastActiveDate=tostring(LastActiveDate_datetime), + LastIpToMgmt, + LastLoggedInUserName, + LicenseKey, + LocationEnabled, + LocationType, + Locations, + MachineType, + MitigationMode, + MitigationModeSuspicious, + SrcDvcModelName, + NetworkInterfaces, + NetworkQuarantineEnabled, + NetworkStatus, + OperationalState, + OsArch, + SrcDvcOs, + OsRevision, + OsStartTime, + OsType, + RangerStatus, + RangerVersion, + RegisteredAt=tostring(RegisteredAt_datetime), + RemoteProfilingState, + ScanFinishedAt=tostring(ScanFinishedAt_datetime), + ScanStartedAt=tostring(ScanStartedAt_datetime), + ScanStatus, + ThreatRebootRequired, + TotalMemory=toreal(totalMemory_d), + UserActionsNeeded, + Uuid, + Creator, + CreatorId, + Inherits, + IsDefault, + Name, + AlertInfo, + RuleInfo, + ContainerInfo, + RegistrationToken, + TotalAgents=totalAgents_d, + Type; + }; + SentinelOne_view \ No newline at end of file From 7df3aa45b5e190d742d1b1998d569ffc2390110a Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 11 Dec 2024 21:06:31 +0530 Subject: [PATCH 15/22] tables empty --- .../SentinelOneActivities_CL.json | 1352 ---------------- .../CustomTables/SentinelOneAgents_CL.json | 1353 +--------------- .../CustomTables/SentinelOneAlerts_CL.json | 1355 +---------------- .../CustomTables/SentinelOneGroups_CL.json | 1352 ---------------- .../CustomTables/SentinelOneThreats_CL.json | 1352 ---------------- 5 files changed, 2 insertions(+), 6762 deletions(-) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json index 9db85cf19a8..be5f54b7da6 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json @@ -1,1357 +1,5 @@ { "Name":"SentinelOneActivities_CL", "Properties":[ - { - "Name": "TenantId", - "Type": "string" - }, - { - "Name": "SourceSystem", - "Type": "string" - }, - { - "Name": "MG", - "Type": "string" - }, - { - "Name": "ManagementGroupName", - "Type": "string" - }, - { - "Name": "TimeGenerated", - "Type": "datetime" - }, - { - "Name": "Computer", - "Type": "string" - }, - { - "Name": "RawData", - "Type": "string" - }, - { - "Name": "accountId_s", - "Type": "string" - }, - { - "Name": "accountName_s", - "Type": "string" - }, - { - "Name": "activityType_d", - "Type": "real" - }, - { - "Name": "createdAt_t", - "Type": "datetime" - }, - { - "Name": "data_accountName_s", - "Type": "string" - }, - { - "Name": "data_fullScopeDetails_s", - "Type": "string" - }, - { - "Name": "data_role_s", - "Type": "string" - }, - { - "Name": "data_scopeLevel_s", - "Type": "string" - }, - { - "Name": "data_scopeName_s", - "Type": "string" - }, - { - "Name": "data_siteName_s", - "Type": "string" - }, - { - "Name": "data_source_s", - "Type": "string" - }, - { - "Name": "data_userScope_s", - "Type": "string" - }, - { - "Name": "data_username_s", - "Type": "string" - }, - { - "Name": "id_s", - "Type": "string" - }, - { - "Name": "primaryDescription_s", - "Type": "string" - }, - { - "Name": "siteId_s", - "Type": "string" - }, - { - "Name": "siteName_s", - "Type": "string" - }, - { - "Name": "updatedAt_t", - "Type": "datetime" - }, - { - "Name": "userId_s", - "Type": "string" - }, - { - "Name": "event_name_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerMemberOf_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserMemberOf_s", - "Type": "string" - }, - { - "Name": "activeThreats_d", - "Type": "real" - }, - { - "Name": "agentVersion_s", - "Type": "string" - }, - { - "Name": "allowRemoteShell_b", - "Type": "bool" - }, - { - "Name": "appsVulnerabilityStatus_s", - "Type": "string" - }, - { - "Name": "computerName_s", - "Type": "string" - }, - { - "Name": "consoleMigrationStatus_s", - "Type": "string" - }, - { - "Name": "coreCount_d", - "Type": "real" - }, - { - "Name": "cpuCount_d", - "Type": "real" - }, - { - "Name": "cpuId_s", - "Type": "string" - }, - { - "Name": "domain_s", - "Type": "string" - }, - { - "Name": "encryptedApplications_b", - "Type": "bool" - }, - { - "Name": "externalId_s", - "Type": "string" - }, - { - "Name": "externalIp_s", - "Type": "string" - }, - { - "Name": "firewallEnabled_b", - "Type": "bool" - }, - { - "Name": "groupId_s", - "Type": "string" - }, - { - "Name": "groupIp_s", - "Type": "string" - }, - { - "Name": "groupName_s", - "Type": "string" - }, - { - "Name": "inRemoteShellSession_b", - "Type": "bool" - }, - { - "Name": "infected_b", - "Type": "bool" - }, - { - "Name": "installerType_s", - "Type": "string" - }, - { - "Name": "isActive_b", - "Type": "bool" - }, - { - "Name": "isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "isPendingUninstall_b", - "Type": "bool" - }, - { - "Name": "isUninstalled_b", - "Type": "bool" - }, - { - "Name": "isUpToDate_b", - "Type": "bool" - }, - { - "Name": "lastActiveDate_t", - "Type": "datetime" - }, - { - "Name": "lastIpToMgmt_s", - "Type": "string" - }, - { - "Name": "lastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "licenseKey_s", - "Type": "string" - }, - { - "Name": "locationEnabled_b", - "Type": "bool" - }, - { - "Name": "locationType_s", - "Type": "string" - }, - { - "Name": "locations_s", - "Type": "string" - }, - { - "Name": "machineType_s", - "Type": "string" - }, - { - "Name": "mitigationMode_s", - "Type": "string" - }, - { - "Name": "mitigationModeSuspicious_s", - "Type": "string" - }, - { - "Name": "modelName_s", - "Type": "string" - }, - { - "Name": "networkInterfaces_s", - "Type": "string" - }, - { - "Name": "networkQuarantineEnabled_b", - "Type": "bool" - }, - { - "Name": "networkStatus_s", - "Type": "string" - }, - { - "Name": "operationalState_s", - "Type": "string" - }, - { - "Name": "osArch_s", - "Type": "string" - }, - { - "Name": "osName_s", - "Type": "string" - }, - { - "Name": "osRevision_s", - "Type": "string" - }, - { - "Name": "osStartTime_t", - "Type": "datetime" - }, - { - "Name": "osType_s", - "Type": "string" - }, - { - "Name": "rangerStatus_s", - "Type": "string" - }, - { - "Name": "rangerVersion_s", - "Type": "string" - }, - { - "Name": "registeredAt_t", - "Type": "datetime" - }, - { - "Name": "remoteProfilingState_s", - "Type": "string" - }, - { - "Name": "scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStatus_s", - "Type": "string" - }, - { - "Name": "threatRebootRequired_b", - "Type": "bool" - }, - { - "Name": "totalMemory_d", - "Type": "real" - }, - { - "Name": "userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "uuid_g", - "Type": "string" - }, - { - "Name": "creator_s", - "Type": "string" - }, - { - "Name": "creatorId_s", - "Type": "string" - }, - { - "Name": "inherits_b", - "Type": "bool" - }, - { - "Name": "isDefault_b", - "Type": "bool" - }, - { - "Name": "name_s", - "Type": "string" - }, - { - "Name": "registrationToken_s", - "Type": "string" - }, - { - "Name": "totalAgents_d", - "Type": "real" - }, - { - "Name": "type_s", - "Type": "string" - }, - { - "Name": "Type", - "Type": "string" - }, - { - "Name": "_ResourceId", - "Type": "string" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorDescription_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileOldPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorCategory_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_g", - "Type": "string" - }, - { - "Name": "alertInfo_dstIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_dstPort_s", - "Type": "string" - }, - { - "Name": "alertInfo_netEventDirection_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcPort_s", - "Type": "string" - }, - { - "Name": "containerInfo_id_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_g", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValueType_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsRequest_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsResponse_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryKeyPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_g", - "Type": "string" - }, - { - "Name": "ruleInfo_description_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountDomain_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountSid_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsAdministratorEquivalent_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsSuccessful_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginType_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginsUserName_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcMachineIp_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcCmdLine_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcImagePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcPid_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcSignedStatus_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_name_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osFamily_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_uuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_version_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_id_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_infected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_name_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_os_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_uuid_g", - "Type": "string" - }, - { - "Name": "alertInfo_alertId_s", - "Type": "string" - }, - { - "Name": "alertInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "alertInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_dvEventId_s", - "Type": "string" - }, - { - "Name": "alertInfo_eventType_s", - "Type": "string" - }, - { - "Name": "alertInfo_hitType_s", - "Type": "string" - }, - { - "Name": "alertInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "alertInfo_isEdr_b", - "Type": "bool" - }, - { - "Name": "alertInfo_reportedAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_source_s", - "Type": "string" - }, - { - "Name": "alertInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "ruleInfo_id_s", - "Type": "string" - }, - { - "Name": "ruleInfo_name_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryLang_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryType_s", - "Type": "string" - }, - { - "Name": "ruleInfo_s1ql_s", - "Type": "string" - }, - { - "Name": "ruleInfo_scopeLevel_s", - "Type": "string" - }, - { - "Name": "ruleInfo_severity_s", - "Type": "string" - }, - { - "Name": "ruleInfo_treatAsThreat_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceParentProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileCreatedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha1_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha256_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileIsSigned_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileModifiedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFilePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcessStartTime_t", - "Type": "datetime" - }, - { - "Name": "agentUpdatedVersion_s", - "Type": "string" - }, - { - "Name": "agentId_s", - "Type": "string" - }, - { - "Name": "hash_s", - "Type": "string" - }, - { - "Name": "osFamily_s", - "Type": "string" - }, - { - "Name": "threatId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDetectionState_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV4_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV6_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentRegisteredAt_t", - "Type": "datetime" - }, - { - "Name": "agentDetectionInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_externalIp_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_activeThreats_d", - "Type": "real" - }, - { - "Name": "agentRealtimeInfo_agentComputerName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentInfected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentMachineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentNetworkStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_networkInterfaces_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_operationalState_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "indicators_s", - "Type": "string" - }, - { - "Name": "mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdictDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_automaticallyResolved_b", - "Type": "bool" - }, - { - "Name": "threatInfo_certificateId_s", - "Type": "string" - }, - { - "Name": "threatInfo_classification_s", - "Type": "string" - }, - { - "Name": "threatInfo_classificationSource_s", - "Type": "string" - }, - { - "Name": "threatInfo_cloudFilesHashVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_collectionId_s", - "Type": "string" - }, - { - "Name": "threatInfo_confidenceLevel_s", - "Type": "string" - }, - { - "Name": "threatInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_detectionEngines_s", - "Type": "string" - }, - { - "Name": "threatInfo_detectionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_engines_s", - "Type": "string" - }, - { - "Name": "threatInfo_externalTicketExists_b", - "Type": "bool" - }, - { - "Name": "threatInfo_failedActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_fileExtension_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtensionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_filePath_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileSize_d", - "Type": "real" - }, - { - "Name": "threatInfo_fileVerificationType_s", - "Type": "string" - }, - { - "Name": "threatInfo_identifiedAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_incidentStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedBy_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedByDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_isFileless_b", - "Type": "bool" - }, - { - "Name": "threatInfo_isValidCertificate_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigatedPreemptively_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_mitigationStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_originatorProcess_s", - "Type": "string" - }, - { - "Name": "threatInfo_pendingActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_processUser_s", - "Type": "string" - }, - { - "Name": "threatInfo_publisherName_s", - "Type": "string" - }, - { - "Name": "threatInfo_reachedEventsLimit_b", - "Type": "bool" - }, - { - "Name": "threatInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "threatInfo_sha1_s", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatId_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_s", - "Type": "string" - }, - { - "Name": "threatInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "whiteningOptions_s", - "Type": "string" - }, - { - "Name": "threatInfo_maliciousProcessArguments_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtension_g", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_g", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_g", - "Type": "string" - }, - { - "Name": "activityUuid_g", - "Type": "string" - }, - { - "Name": "secondaryDescription_s", - "Type": "string" - }, - { - "Name": "DataFields_s", - "Type": "string" - }, - { - "Name": "description_s", - "Type": "string" - }, - { - "Name": "comments_s", - "Type": "string" - }, - { - "Name": "detectionState_s", - "Type": "string" - }, - { - "Name": "firstFullModeTime_t", - "Type": "datetime" - }, - { - "Name": "fullDiskScanLastUpdatedAt_t", - "Type": "datetime" - }, - { - "Name": "serialNumber_s", - "Type": "string" - }, - { - "Name": "showAlertIcon_b", - "Type": "bool" - }, - { - "Name": "tags_sentinelone_s", - "Type": "string" - }, - { - "Name": "osUsername_s", - "Type": "string" - }, - { - "Name": "scanAbortedAt_t", - "Type": "datetime" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "Data", - "Type": "string" - }, - { - "Name": "SourceParentProcessInfo", - "Type": "string" - }, - { - "Name": "Description", - "Type": "string" - }, - { - "Name": "ActiveDirectory", - "Type": "string" - }, - { - "Name": "Domain", - "Type": "string" - }, - { - "Name": "ModelName", - "Type": "string" - }, - { - "Name": "OsName", - "Type": "string" - }, - { - "Name": "SourceProcessInfo", - "Type": "string" - }, - { - "Name": "RuleInfo", - "Type": "string" - }, - { - "Name": "TargetProcessInfo", - "Type": "string" - }, - { - "Name": "ContainerInfo", - "Type": "string" - }, - { - "Name": "LastActiveDate_datetime", - "Type": "DateTime" - }, - { - "Name": "RegisteredAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanFinishedAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanStartedAt_datetime", - "Type": "DateTime" - } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json index 8a911de6d68..29c412edee2 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json @@ -1,1357 +1,6 @@ { "Name":"SentinelOneAgents_CL", "Properties":[ - { - "Name": "TenantId", - "Type": "string" - }, - { - "Name": "SourceSystem", - "Type": "string" - }, - { - "Name": "MG", - "Type": "string" - }, - { - "Name": "ManagementGroupName", - "Type": "string" - }, - { - "Name": "TimeGenerated", - "Type": "datetime" - }, - { - "Name": "Computer", - "Type": "string" - }, - { - "Name": "RawData", - "Type": "string" - }, - { - "Name": "accountId_s", - "Type": "string" - }, - { - "Name": "accountName_s", - "Type": "string" - }, - { - "Name": "activityType_d", - "Type": "real" - }, - { - "Name": "createdAt_t", - "Type": "datetime" - }, - { - "Name": "data_accountName_s", - "Type": "string" - }, - { - "Name": "data_fullScopeDetails_s", - "Type": "string" - }, - { - "Name": "data_role_s", - "Type": "string" - }, - { - "Name": "data_scopeLevel_s", - "Type": "string" - }, - { - "Name": "data_scopeName_s", - "Type": "string" - }, - { - "Name": "data_siteName_s", - "Type": "string" - }, - { - "Name": "data_source_s", - "Type": "string" - }, - { - "Name": "data_userScope_s", - "Type": "string" - }, - { - "Name": "data_username_s", - "Type": "string" - }, - { - "Name": "id_s", - "Type": "string" - }, - { - "Name": "primaryDescription_s", - "Type": "string" - }, - { - "Name": "siteId_s", - "Type": "string" - }, - { - "Name": "siteName_s", - "Type": "string" - }, - { - "Name": "updatedAt_t", - "Type": "datetime" - }, - { - "Name": "userId_s", - "Type": "string" - }, - { - "Name": "event_name_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerMemberOf_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserMemberOf_s", - "Type": "string" - }, - { - "Name": "activeThreats_d", - "Type": "real" - }, - { - "Name": "agentVersion_s", - "Type": "string" - }, - { - "Name": "allowRemoteShell_b", - "Type": "bool" - }, - { - "Name": "appsVulnerabilityStatus_s", - "Type": "string" - }, - { - "Name": "computerName_s", - "Type": "string" - }, - { - "Name": "consoleMigrationStatus_s", - "Type": "string" - }, - { - "Name": "coreCount_d", - "Type": "real" - }, - { - "Name": "cpuCount_d", - "Type": "real" - }, - { - "Name": "cpuId_s", - "Type": "string" - }, - { - "Name": "domain_s", - "Type": "string" - }, - { - "Name": "encryptedApplications_b", - "Type": "bool" - }, - { - "Name": "externalId_s", - "Type": "string" - }, - { - "Name": "externalIp_s", - "Type": "string" - }, - { - "Name": "firewallEnabled_b", - "Type": "bool" - }, - { - "Name": "groupId_s", - "Type": "string" - }, - { - "Name": "groupIp_s", - "Type": "string" - }, - { - "Name": "groupName_s", - "Type": "string" - }, - { - "Name": "inRemoteShellSession_b", - "Type": "bool" - }, - { - "Name": "infected_b", - "Type": "bool" - }, - { - "Name": "installerType_s", - "Type": "string" - }, - { - "Name": "isActive_b", - "Type": "bool" - }, - { - "Name": "isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "isPendingUninstall_b", - "Type": "bool" - }, - { - "Name": "isUninstalled_b", - "Type": "bool" - }, - { - "Name": "isUpToDate_b", - "Type": "bool" - }, - { - "Name": "lastActiveDate_t", - "Type": "datetime" - }, - { - "Name": "lastIpToMgmt_s", - "Type": "string" - }, - { - "Name": "lastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "licenseKey_s", - "Type": "string" - }, - { - "Name": "locationEnabled_b", - "Type": "bool" - }, - { - "Name": "locationType_s", - "Type": "string" - }, - { - "Name": "locations_s", - "Type": "string" - }, - { - "Name": "machineType_s", - "Type": "string" - }, - { - "Name": "mitigationMode_s", - "Type": "string" - }, - { - "Name": "mitigationModeSuspicious_s", - "Type": "string" - }, - { - "Name": "modelName_s", - "Type": "string" - }, - { - "Name": "networkInterfaces_s", - "Type": "string" - }, - { - "Name": "networkQuarantineEnabled_b", - "Type": "bool" - }, - { - "Name": "networkStatus_s", - "Type": "string" - }, - { - "Name": "operationalState_s", - "Type": "string" - }, - { - "Name": "osArch_s", - "Type": "string" - }, - { - "Name": "osName_s", - "Type": "string" - }, - { - "Name": "osRevision_s", - "Type": "string" - }, - { - "Name": "osStartTime_t", - "Type": "datetime" - }, - { - "Name": "osType_s", - "Type": "string" - }, - { - "Name": "rangerStatus_s", - "Type": "string" - }, - { - "Name": "rangerVersion_s", - "Type": "string" - }, - { - "Name": "registeredAt_t", - "Type": "datetime" - }, - { - "Name": "remoteProfilingState_s", - "Type": "string" - }, - { - "Name": "scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStatus_s", - "Type": "string" - }, - { - "Name": "threatRebootRequired_b", - "Type": "bool" - }, - { - "Name": "totalMemory_d", - "Type": "real" - }, - { - "Name": "userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "uuid_g", - "Type": "string" - }, - { - "Name": "creator_s", - "Type": "string" - }, - { - "Name": "creatorId_s", - "Type": "string" - }, - { - "Name": "inherits_b", - "Type": "bool" - }, - { - "Name": "isDefault_b", - "Type": "bool" - }, - { - "Name": "name_s", - "Type": "string" - }, - { - "Name": "registrationToken_s", - "Type": "string" - }, - { - "Name": "totalAgents_d", - "Type": "real" - }, - { - "Name": "type_s", - "Type": "string" - }, - { - "Name": "Type", - "Type": "string" - }, - { - "Name": "_ResourceId", - "Type": "string" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorDescription_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileOldPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorCategory_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_g", - "Type": "string" - }, - { - "Name": "alertInfo_dstIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_dstPort_s", - "Type": "string" - }, - { - "Name": "alertInfo_netEventDirection_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcPort_s", - "Type": "string" - }, - { - "Name": "containerInfo_id_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_g", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValueType_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsRequest_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsResponse_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryKeyPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_g", - "Type": "string" - }, - { - "Name": "ruleInfo_description_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountDomain_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountSid_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsAdministratorEquivalent_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsSuccessful_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginType_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginsUserName_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcMachineIp_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcCmdLine_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcImagePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcPid_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcSignedStatus_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_name_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osFamily_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_uuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_version_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_id_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_infected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_name_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_os_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_uuid_g", - "Type": "string" - }, - { - "Name": "alertInfo_alertId_s", - "Type": "string" - }, - { - "Name": "alertInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "alertInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_dvEventId_s", - "Type": "string" - }, - { - "Name": "alertInfo_eventType_s", - "Type": "string" - }, - { - "Name": "alertInfo_hitType_s", - "Type": "string" - }, - { - "Name": "alertInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "alertInfo_isEdr_b", - "Type": "bool" - }, - { - "Name": "alertInfo_reportedAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_source_s", - "Type": "string" - }, - { - "Name": "alertInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "ruleInfo_id_s", - "Type": "string" - }, - { - "Name": "ruleInfo_name_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryLang_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryType_s", - "Type": "string" - }, - { - "Name": "ruleInfo_s1ql_s", - "Type": "string" - }, - { - "Name": "ruleInfo_scopeLevel_s", - "Type": "string" - }, - { - "Name": "ruleInfo_severity_s", - "Type": "string" - }, - { - "Name": "ruleInfo_treatAsThreat_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceParentProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileCreatedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha1_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha256_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileIsSigned_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileModifiedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFilePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcessStartTime_t", - "Type": "datetime" - }, - { - "Name": "agentUpdatedVersion_s", - "Type": "string" - }, - { - "Name": "agentId_s", - "Type": "string" - }, - { - "Name": "hash_s", - "Type": "string" - }, - { - "Name": "osFamily_s", - "Type": "string" - }, - { - "Name": "threatId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDetectionState_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV4_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV6_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentRegisteredAt_t", - "Type": "datetime" - }, - { - "Name": "agentDetectionInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_externalIp_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_activeThreats_d", - "Type": "real" - }, - { - "Name": "agentRealtimeInfo_agentComputerName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentInfected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentMachineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentNetworkStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_networkInterfaces_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_operationalState_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "indicators_s", - "Type": "string" - }, - { - "Name": "mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdictDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_automaticallyResolved_b", - "Type": "bool" - }, - { - "Name": "threatInfo_certificateId_s", - "Type": "string" - }, - { - "Name": "threatInfo_classification_s", - "Type": "string" - }, - { - "Name": "threatInfo_classificationSource_s", - "Type": "string" - }, - { - "Name": "threatInfo_cloudFilesHashVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_collectionId_s", - "Type": "string" - }, - { - "Name": "threatInfo_confidenceLevel_s", - "Type": "string" - }, - { - "Name": "threatInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_detectionEngines_s", - "Type": "string" - }, - { - "Name": "threatInfo_detectionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_engines_s", - "Type": "string" - }, - { - "Name": "threatInfo_externalTicketExists_b", - "Type": "bool" - }, - { - "Name": "threatInfo_failedActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_fileExtension_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtensionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_filePath_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileSize_d", - "Type": "real" - }, - { - "Name": "threatInfo_fileVerificationType_s", - "Type": "string" - }, - { - "Name": "threatInfo_identifiedAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_incidentStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedBy_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedByDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_isFileless_b", - "Type": "bool" - }, - { - "Name": "threatInfo_isValidCertificate_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigatedPreemptively_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_mitigationStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_originatorProcess_s", - "Type": "string" - }, - { - "Name": "threatInfo_pendingActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_processUser_s", - "Type": "string" - }, - { - "Name": "threatInfo_publisherName_s", - "Type": "string" - }, - { - "Name": "threatInfo_reachedEventsLimit_b", - "Type": "bool" - }, - { - "Name": "threatInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "threatInfo_sha1_s", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatId_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_s", - "Type": "string" - }, - { - "Name": "threatInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "whiteningOptions_s", - "Type": "string" - }, - { - "Name": "threatInfo_maliciousProcessArguments_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtension_g", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_g", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_g", - "Type": "string" - }, - { - "Name": "activityUuid_g", - "Type": "string" - }, - { - "Name": "secondaryDescription_s", - "Type": "string" - }, - { - "Name": "DataFields_s", - "Type": "string" - }, - { - "Name": "description_s", - "Type": "string" - }, - { - "Name": "comments_s", - "Type": "string" - }, - { - "Name": "detectionState_s", - "Type": "string" - }, - { - "Name": "firstFullModeTime_t", - "Type": "datetime" - }, - { - "Name": "fullDiskScanLastUpdatedAt_t", - "Type": "datetime" - }, - { - "Name": "serialNumber_s", - "Type": "string" - }, - { - "Name": "showAlertIcon_b", - "Type": "bool" - }, - { - "Name": "tags_sentinelone_s", - "Type": "string" - }, - { - "Name": "osUsername_s", - "Type": "string" - }, - { - "Name": "scanAbortedAt_t", - "Type": "datetime" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "Data", - "Type": "string" - }, - { - "Name": "SourceParentProcessInfo", - "Type": "string" - }, - { - "Name": "Description", - "Type": "string" - }, - { - "Name": "ActiveDirectory", - "Type": "string" - }, - { - "Name": "Domain", - "Type": "string" - }, - { - "Name": "ModelName", - "Type": "string" - }, - { - "Name": "OsName", - "Type": "string" - }, - { - "Name": "SourceProcessInfo", - "Type": "string" - }, - { - "Name": "RuleInfo", - "Type": "string" - }, - { - "Name": "TargetProcessInfo", - "Type": "string" - }, - { - "Name": "ContainerInfo", - "Type": "string" - }, - { - "Name": "LastActiveDate_datetime", - "Type": "DateTime" - }, - { - "Name": "RegisteredAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanFinishedAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanStartedAt_datetime", - "Type": "DateTime" - } + ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json index fc7bad6ef0d..5bc4ea14af0 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json @@ -1,1357 +1,4 @@ { "Name":"SentinelOneAlerts_CL", - "Properties":[ - { - "Name": "TenantId", - "Type": "string" - }, - { - "Name": "SourceSystem", - "Type": "string" - }, - { - "Name": "MG", - "Type": "string" - }, - { - "Name": "ManagementGroupName", - "Type": "string" - }, - { - "Name": "TimeGenerated", - "Type": "datetime" - }, - { - "Name": "Computer", - "Type": "string" - }, - { - "Name": "RawData", - "Type": "string" - }, - { - "Name": "accountId_s", - "Type": "string" - }, - { - "Name": "accountName_s", - "Type": "string" - }, - { - "Name": "activityType_d", - "Type": "real" - }, - { - "Name": "createdAt_t", - "Type": "datetime" - }, - { - "Name": "data_accountName_s", - "Type": "string" - }, - { - "Name": "data_fullScopeDetails_s", - "Type": "string" - }, - { - "Name": "data_role_s", - "Type": "string" - }, - { - "Name": "data_scopeLevel_s", - "Type": "string" - }, - { - "Name": "data_scopeName_s", - "Type": "string" - }, - { - "Name": "data_siteName_s", - "Type": "string" - }, - { - "Name": "data_source_s", - "Type": "string" - }, - { - "Name": "data_userScope_s", - "Type": "string" - }, - { - "Name": "data_username_s", - "Type": "string" - }, - { - "Name": "id_s", - "Type": "string" - }, - { - "Name": "primaryDescription_s", - "Type": "string" - }, - { - "Name": "siteId_s", - "Type": "string" - }, - { - "Name": "siteName_s", - "Type": "string" - }, - { - "Name": "updatedAt_t", - "Type": "datetime" - }, - { - "Name": "userId_s", - "Type": "string" - }, - { - "Name": "event_name_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerMemberOf_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserMemberOf_s", - "Type": "string" - }, - { - "Name": "activeThreats_d", - "Type": "real" - }, - { - "Name": "agentVersion_s", - "Type": "string" - }, - { - "Name": "allowRemoteShell_b", - "Type": "bool" - }, - { - "Name": "appsVulnerabilityStatus_s", - "Type": "string" - }, - { - "Name": "computerName_s", - "Type": "string" - }, - { - "Name": "consoleMigrationStatus_s", - "Type": "string" - }, - { - "Name": "coreCount_d", - "Type": "real" - }, - { - "Name": "cpuCount_d", - "Type": "real" - }, - { - "Name": "cpuId_s", - "Type": "string" - }, - { - "Name": "domain_s", - "Type": "string" - }, - { - "Name": "encryptedApplications_b", - "Type": "bool" - }, - { - "Name": "externalId_s", - "Type": "string" - }, - { - "Name": "externalIp_s", - "Type": "string" - }, - { - "Name": "firewallEnabled_b", - "Type": "bool" - }, - { - "Name": "groupId_s", - "Type": "string" - }, - { - "Name": "groupIp_s", - "Type": "string" - }, - { - "Name": "groupName_s", - "Type": "string" - }, - { - "Name": "inRemoteShellSession_b", - "Type": "bool" - }, - { - "Name": "infected_b", - "Type": "bool" - }, - { - "Name": "installerType_s", - "Type": "string" - }, - { - "Name": "isActive_b", - "Type": "bool" - }, - { - "Name": "isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "isPendingUninstall_b", - "Type": "bool" - }, - { - "Name": "isUninstalled_b", - "Type": "bool" - }, - { - "Name": "isUpToDate_b", - "Type": "bool" - }, - { - "Name": "lastActiveDate_t", - "Type": "datetime" - }, - { - "Name": "lastIpToMgmt_s", - "Type": "string" - }, - { - "Name": "lastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "licenseKey_s", - "Type": "string" - }, - { - "Name": "locationEnabled_b", - "Type": "bool" - }, - { - "Name": "locationType_s", - "Type": "string" - }, - { - "Name": "locations_s", - "Type": "string" - }, - { - "Name": "machineType_s", - "Type": "string" - }, - { - "Name": "mitigationMode_s", - "Type": "string" - }, - { - "Name": "mitigationModeSuspicious_s", - "Type": "string" - }, - { - "Name": "modelName_s", - "Type": "string" - }, - { - "Name": "networkInterfaces_s", - "Type": "string" - }, - { - "Name": "networkQuarantineEnabled_b", - "Type": "bool" - }, - { - "Name": "networkStatus_s", - "Type": "string" - }, - { - "Name": "operationalState_s", - "Type": "string" - }, - { - "Name": "osArch_s", - "Type": "string" - }, - { - "Name": "osName_s", - "Type": "string" - }, - { - "Name": "osRevision_s", - "Type": "string" - }, - { - "Name": "osStartTime_t", - "Type": "datetime" - }, - { - "Name": "osType_s", - "Type": "string" - }, - { - "Name": "rangerStatus_s", - "Type": "string" - }, - { - "Name": "rangerVersion_s", - "Type": "string" - }, - { - "Name": "registeredAt_t", - "Type": "datetime" - }, - { - "Name": "remoteProfilingState_s", - "Type": "string" - }, - { - "Name": "scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStatus_s", - "Type": "string" - }, - { - "Name": "threatRebootRequired_b", - "Type": "bool" - }, - { - "Name": "totalMemory_d", - "Type": "real" - }, - { - "Name": "userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "uuid_g", - "Type": "string" - }, - { - "Name": "creator_s", - "Type": "string" - }, - { - "Name": "creatorId_s", - "Type": "string" - }, - { - "Name": "inherits_b", - "Type": "bool" - }, - { - "Name": "isDefault_b", - "Type": "bool" - }, - { - "Name": "name_s", - "Type": "string" - }, - { - "Name": "registrationToken_s", - "Type": "string" - }, - { - "Name": "totalAgents_d", - "Type": "real" - }, - { - "Name": "type_s", - "Type": "string" - }, - { - "Name": "Type", - "Type": "string" - }, - { - "Name": "_ResourceId", - "Type": "string" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorDescription_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileOldPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorCategory_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_g", - "Type": "string" - }, - { - "Name": "alertInfo_dstIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_dstPort_s", - "Type": "string" - }, - { - "Name": "alertInfo_netEventDirection_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcPort_s", - "Type": "string" - }, - { - "Name": "containerInfo_id_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_g", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValueType_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsRequest_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsResponse_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryKeyPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_g", - "Type": "string" - }, - { - "Name": "ruleInfo_description_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountDomain_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountSid_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsAdministratorEquivalent_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsSuccessful_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginType_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginsUserName_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcMachineIp_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcCmdLine_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcImagePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcPid_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcSignedStatus_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_name_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osFamily_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_uuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_version_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_id_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_infected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_name_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_os_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_uuid_g", - "Type": "string" - }, - { - "Name": "alertInfo_alertId_s", - "Type": "string" - }, - { - "Name": "alertInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "alertInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_dvEventId_s", - "Type": "string" - }, - { - "Name": "alertInfo_eventType_s", - "Type": "string" - }, - { - "Name": "alertInfo_hitType_s", - "Type": "string" - }, - { - "Name": "alertInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "alertInfo_isEdr_b", - "Type": "bool" - }, - { - "Name": "alertInfo_reportedAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_source_s", - "Type": "string" - }, - { - "Name": "alertInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "ruleInfo_id_s", - "Type": "string" - }, - { - "Name": "ruleInfo_name_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryLang_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryType_s", - "Type": "string" - }, - { - "Name": "ruleInfo_s1ql_s", - "Type": "string" - }, - { - "Name": "ruleInfo_scopeLevel_s", - "Type": "string" - }, - { - "Name": "ruleInfo_severity_s", - "Type": "string" - }, - { - "Name": "ruleInfo_treatAsThreat_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceParentProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileCreatedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha1_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha256_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileIsSigned_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileModifiedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFilePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcessStartTime_t", - "Type": "datetime" - }, - { - "Name": "agentUpdatedVersion_s", - "Type": "string" - }, - { - "Name": "agentId_s", - "Type": "string" - }, - { - "Name": "hash_s", - "Type": "string" - }, - { - "Name": "osFamily_s", - "Type": "string" - }, - { - "Name": "threatId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDetectionState_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV4_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV6_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentRegisteredAt_t", - "Type": "datetime" - }, - { - "Name": "agentDetectionInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_externalIp_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_activeThreats_d", - "Type": "real" - }, - { - "Name": "agentRealtimeInfo_agentComputerName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentInfected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentMachineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentNetworkStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_networkInterfaces_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_operationalState_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "indicators_s", - "Type": "string" - }, - { - "Name": "mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdictDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_automaticallyResolved_b", - "Type": "bool" - }, - { - "Name": "threatInfo_certificateId_s", - "Type": "string" - }, - { - "Name": "threatInfo_classification_s", - "Type": "string" - }, - { - "Name": "threatInfo_classificationSource_s", - "Type": "string" - }, - { - "Name": "threatInfo_cloudFilesHashVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_collectionId_s", - "Type": "string" - }, - { - "Name": "threatInfo_confidenceLevel_s", - "Type": "string" - }, - { - "Name": "threatInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_detectionEngines_s", - "Type": "string" - }, - { - "Name": "threatInfo_detectionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_engines_s", - "Type": "string" - }, - { - "Name": "threatInfo_externalTicketExists_b", - "Type": "bool" - }, - { - "Name": "threatInfo_failedActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_fileExtension_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtensionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_filePath_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileSize_d", - "Type": "real" - }, - { - "Name": "threatInfo_fileVerificationType_s", - "Type": "string" - }, - { - "Name": "threatInfo_identifiedAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_incidentStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedBy_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedByDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_isFileless_b", - "Type": "bool" - }, - { - "Name": "threatInfo_isValidCertificate_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigatedPreemptively_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_mitigationStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_originatorProcess_s", - "Type": "string" - }, - { - "Name": "threatInfo_pendingActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_processUser_s", - "Type": "string" - }, - { - "Name": "threatInfo_publisherName_s", - "Type": "string" - }, - { - "Name": "threatInfo_reachedEventsLimit_b", - "Type": "bool" - }, - { - "Name": "threatInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "threatInfo_sha1_s", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatId_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_s", - "Type": "string" - }, - { - "Name": "threatInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "whiteningOptions_s", - "Type": "string" - }, - { - "Name": "threatInfo_maliciousProcessArguments_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtension_g", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_g", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_g", - "Type": "string" - }, - { - "Name": "activityUuid_g", - "Type": "string" - }, - { - "Name": "secondaryDescription_s", - "Type": "string" - }, - { - "Name": "DataFields_s", - "Type": "string" - }, - { - "Name": "description_s", - "Type": "string" - }, - { - "Name": "comments_s", - "Type": "string" - }, - { - "Name": "detectionState_s", - "Type": "string" - }, - { - "Name": "firstFullModeTime_t", - "Type": "datetime" - }, - { - "Name": "fullDiskScanLastUpdatedAt_t", - "Type": "datetime" - }, - { - "Name": "serialNumber_s", - "Type": "string" - }, - { - "Name": "showAlertIcon_b", - "Type": "bool" - }, - { - "Name": "tags_sentinelone_s", - "Type": "string" - }, - { - "Name": "osUsername_s", - "Type": "string" - }, - { - "Name": "scanAbortedAt_t", - "Type": "datetime" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "Data", - "Type": "string" - }, - { - "Name": "SourceParentProcessInfo", - "Type": "string" - }, - { - "Name": "Description", - "Type": "string" - }, - { - "Name": "ActiveDirectory", - "Type": "string" - }, - { - "Name": "Domain", - "Type": "string" - }, - { - "Name": "ModelName", - "Type": "string" - }, - { - "Name": "OsName", - "Type": "string" - }, - { - "Name": "SourceProcessInfo", - "Type": "string" - }, - { - "Name": "RuleInfo", - "Type": "string" - }, - { - "Name": "TargetProcessInfo", - "Type": "string" - }, - { - "Name": "ContainerInfo", - "Type": "string" - }, - { - "Name": "LastActiveDate_datetime", - "Type": "DateTime" - }, - { - "Name": "RegisteredAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanFinishedAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanStartedAt_datetime", - "Type": "DateTime" - } -] + "Properties":[] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json index c80988f4eca..870c8c5db87 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json @@ -1,1357 +1,5 @@ { "Name":"SentinelOneGroups_CL", "Properties":[ - { - "Name": "TenantId", - "Type": "string" - }, - { - "Name": "SourceSystem", - "Type": "string" - }, - { - "Name": "MG", - "Type": "string" - }, - { - "Name": "ManagementGroupName", - "Type": "string" - }, - { - "Name": "TimeGenerated", - "Type": "datetime" - }, - { - "Name": "Computer", - "Type": "string" - }, - { - "Name": "RawData", - "Type": "string" - }, - { - "Name": "accountId_s", - "Type": "string" - }, - { - "Name": "accountName_s", - "Type": "string" - }, - { - "Name": "activityType_d", - "Type": "real" - }, - { - "Name": "createdAt_t", - "Type": "datetime" - }, - { - "Name": "data_accountName_s", - "Type": "string" - }, - { - "Name": "data_fullScopeDetails_s", - "Type": "string" - }, - { - "Name": "data_role_s", - "Type": "string" - }, - { - "Name": "data_scopeLevel_s", - "Type": "string" - }, - { - "Name": "data_scopeName_s", - "Type": "string" - }, - { - "Name": "data_siteName_s", - "Type": "string" - }, - { - "Name": "data_source_s", - "Type": "string" - }, - { - "Name": "data_userScope_s", - "Type": "string" - }, - { - "Name": "data_username_s", - "Type": "string" - }, - { - "Name": "id_s", - "Type": "string" - }, - { - "Name": "primaryDescription_s", - "Type": "string" - }, - { - "Name": "siteId_s", - "Type": "string" - }, - { - "Name": "siteName_s", - "Type": "string" - }, - { - "Name": "updatedAt_t", - "Type": "datetime" - }, - { - "Name": "userId_s", - "Type": "string" - }, - { - "Name": "event_name_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerMemberOf_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserMemberOf_s", - "Type": "string" - }, - { - "Name": "activeThreats_d", - "Type": "real" - }, - { - "Name": "agentVersion_s", - "Type": "string" - }, - { - "Name": "allowRemoteShell_b", - "Type": "bool" - }, - { - "Name": "appsVulnerabilityStatus_s", - "Type": "string" - }, - { - "Name": "computerName_s", - "Type": "string" - }, - { - "Name": "consoleMigrationStatus_s", - "Type": "string" - }, - { - "Name": "coreCount_d", - "Type": "real" - }, - { - "Name": "cpuCount_d", - "Type": "real" - }, - { - "Name": "cpuId_s", - "Type": "string" - }, - { - "Name": "domain_s", - "Type": "string" - }, - { - "Name": "encryptedApplications_b", - "Type": "bool" - }, - { - "Name": "externalId_s", - "Type": "string" - }, - { - "Name": "externalIp_s", - "Type": "string" - }, - { - "Name": "firewallEnabled_b", - "Type": "bool" - }, - { - "Name": "groupId_s", - "Type": "string" - }, - { - "Name": "groupIp_s", - "Type": "string" - }, - { - "Name": "groupName_s", - "Type": "string" - }, - { - "Name": "inRemoteShellSession_b", - "Type": "bool" - }, - { - "Name": "infected_b", - "Type": "bool" - }, - { - "Name": "installerType_s", - "Type": "string" - }, - { - "Name": "isActive_b", - "Type": "bool" - }, - { - "Name": "isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "isPendingUninstall_b", - "Type": "bool" - }, - { - "Name": "isUninstalled_b", - "Type": "bool" - }, - { - "Name": "isUpToDate_b", - "Type": "bool" - }, - { - "Name": "lastActiveDate_t", - "Type": "datetime" - }, - { - "Name": "lastIpToMgmt_s", - "Type": "string" - }, - { - "Name": "lastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "licenseKey_s", - "Type": "string" - }, - { - "Name": "locationEnabled_b", - "Type": "bool" - }, - { - "Name": "locationType_s", - "Type": "string" - }, - { - "Name": "locations_s", - "Type": "string" - }, - { - "Name": "machineType_s", - "Type": "string" - }, - { - "Name": "mitigationMode_s", - "Type": "string" - }, - { - "Name": "mitigationModeSuspicious_s", - "Type": "string" - }, - { - "Name": "modelName_s", - "Type": "string" - }, - { - "Name": "networkInterfaces_s", - "Type": "string" - }, - { - "Name": "networkQuarantineEnabled_b", - "Type": "bool" - }, - { - "Name": "networkStatus_s", - "Type": "string" - }, - { - "Name": "operationalState_s", - "Type": "string" - }, - { - "Name": "osArch_s", - "Type": "string" - }, - { - "Name": "osName_s", - "Type": "string" - }, - { - "Name": "osRevision_s", - "Type": "string" - }, - { - "Name": "osStartTime_t", - "Type": "datetime" - }, - { - "Name": "osType_s", - "Type": "string" - }, - { - "Name": "rangerStatus_s", - "Type": "string" - }, - { - "Name": "rangerVersion_s", - "Type": "string" - }, - { - "Name": "registeredAt_t", - "Type": "datetime" - }, - { - "Name": "remoteProfilingState_s", - "Type": "string" - }, - { - "Name": "scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStatus_s", - "Type": "string" - }, - { - "Name": "threatRebootRequired_b", - "Type": "bool" - }, - { - "Name": "totalMemory_d", - "Type": "real" - }, - { - "Name": "userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "uuid_g", - "Type": "string" - }, - { - "Name": "creator_s", - "Type": "string" - }, - { - "Name": "creatorId_s", - "Type": "string" - }, - { - "Name": "inherits_b", - "Type": "bool" - }, - { - "Name": "isDefault_b", - "Type": "bool" - }, - { - "Name": "name_s", - "Type": "string" - }, - { - "Name": "registrationToken_s", - "Type": "string" - }, - { - "Name": "totalAgents_d", - "Type": "real" - }, - { - "Name": "type_s", - "Type": "string" - }, - { - "Name": "Type", - "Type": "string" - }, - { - "Name": "_ResourceId", - "Type": "string" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorDescription_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileOldPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorCategory_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_g", - "Type": "string" - }, - { - "Name": "alertInfo_dstIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_dstPort_s", - "Type": "string" - }, - { - "Name": "alertInfo_netEventDirection_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcPort_s", - "Type": "string" - }, - { - "Name": "containerInfo_id_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_g", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValueType_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsRequest_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsResponse_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryKeyPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_g", - "Type": "string" - }, - { - "Name": "ruleInfo_description_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountDomain_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountSid_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsAdministratorEquivalent_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsSuccessful_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginType_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginsUserName_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcMachineIp_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcCmdLine_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcImagePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcPid_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcSignedStatus_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_name_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osFamily_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_uuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_version_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_id_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_infected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_name_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_os_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_uuid_g", - "Type": "string" - }, - { - "Name": "alertInfo_alertId_s", - "Type": "string" - }, - { - "Name": "alertInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "alertInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_dvEventId_s", - "Type": "string" - }, - { - "Name": "alertInfo_eventType_s", - "Type": "string" - }, - { - "Name": "alertInfo_hitType_s", - "Type": "string" - }, - { - "Name": "alertInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "alertInfo_isEdr_b", - "Type": "bool" - }, - { - "Name": "alertInfo_reportedAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_source_s", - "Type": "string" - }, - { - "Name": "alertInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "ruleInfo_id_s", - "Type": "string" - }, - { - "Name": "ruleInfo_name_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryLang_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryType_s", - "Type": "string" - }, - { - "Name": "ruleInfo_s1ql_s", - "Type": "string" - }, - { - "Name": "ruleInfo_scopeLevel_s", - "Type": "string" - }, - { - "Name": "ruleInfo_severity_s", - "Type": "string" - }, - { - "Name": "ruleInfo_treatAsThreat_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceParentProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileCreatedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha1_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha256_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileIsSigned_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileModifiedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFilePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcessStartTime_t", - "Type": "datetime" - }, - { - "Name": "agentUpdatedVersion_s", - "Type": "string" - }, - { - "Name": "agentId_s", - "Type": "string" - }, - { - "Name": "hash_s", - "Type": "string" - }, - { - "Name": "osFamily_s", - "Type": "string" - }, - { - "Name": "threatId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDetectionState_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV4_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV6_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentRegisteredAt_t", - "Type": "datetime" - }, - { - "Name": "agentDetectionInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_externalIp_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_activeThreats_d", - "Type": "real" - }, - { - "Name": "agentRealtimeInfo_agentComputerName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentInfected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentMachineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentNetworkStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_networkInterfaces_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_operationalState_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "indicators_s", - "Type": "string" - }, - { - "Name": "mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdictDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_automaticallyResolved_b", - "Type": "bool" - }, - { - "Name": "threatInfo_certificateId_s", - "Type": "string" - }, - { - "Name": "threatInfo_classification_s", - "Type": "string" - }, - { - "Name": "threatInfo_classificationSource_s", - "Type": "string" - }, - { - "Name": "threatInfo_cloudFilesHashVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_collectionId_s", - "Type": "string" - }, - { - "Name": "threatInfo_confidenceLevel_s", - "Type": "string" - }, - { - "Name": "threatInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_detectionEngines_s", - "Type": "string" - }, - { - "Name": "threatInfo_detectionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_engines_s", - "Type": "string" - }, - { - "Name": "threatInfo_externalTicketExists_b", - "Type": "bool" - }, - { - "Name": "threatInfo_failedActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_fileExtension_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtensionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_filePath_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileSize_d", - "Type": "real" - }, - { - "Name": "threatInfo_fileVerificationType_s", - "Type": "string" - }, - { - "Name": "threatInfo_identifiedAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_incidentStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedBy_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedByDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_isFileless_b", - "Type": "bool" - }, - { - "Name": "threatInfo_isValidCertificate_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigatedPreemptively_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_mitigationStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_originatorProcess_s", - "Type": "string" - }, - { - "Name": "threatInfo_pendingActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_processUser_s", - "Type": "string" - }, - { - "Name": "threatInfo_publisherName_s", - "Type": "string" - }, - { - "Name": "threatInfo_reachedEventsLimit_b", - "Type": "bool" - }, - { - "Name": "threatInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "threatInfo_sha1_s", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatId_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_s", - "Type": "string" - }, - { - "Name": "threatInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "whiteningOptions_s", - "Type": "string" - }, - { - "Name": "threatInfo_maliciousProcessArguments_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtension_g", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_g", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_g", - "Type": "string" - }, - { - "Name": "activityUuid_g", - "Type": "string" - }, - { - "Name": "secondaryDescription_s", - "Type": "string" - }, - { - "Name": "DataFields_s", - "Type": "string" - }, - { - "Name": "description_s", - "Type": "string" - }, - { - "Name": "comments_s", - "Type": "string" - }, - { - "Name": "detectionState_s", - "Type": "string" - }, - { - "Name": "firstFullModeTime_t", - "Type": "datetime" - }, - { - "Name": "fullDiskScanLastUpdatedAt_t", - "Type": "datetime" - }, - { - "Name": "serialNumber_s", - "Type": "string" - }, - { - "Name": "showAlertIcon_b", - "Type": "bool" - }, - { - "Name": "tags_sentinelone_s", - "Type": "string" - }, - { - "Name": "osUsername_s", - "Type": "string" - }, - { - "Name": "scanAbortedAt_t", - "Type": "datetime" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "Data", - "Type": "string" - }, - { - "Name": "SourceParentProcessInfo", - "Type": "string" - }, - { - "Name": "Description", - "Type": "string" - }, - { - "Name": "ActiveDirectory", - "Type": "string" - }, - { - "Name": "Domain", - "Type": "string" - }, - { - "Name": "ModelName", - "Type": "string" - }, - { - "Name": "OsName", - "Type": "string" - }, - { - "Name": "SourceProcessInfo", - "Type": "string" - }, - { - "Name": "RuleInfo", - "Type": "string" - }, - { - "Name": "TargetProcessInfo", - "Type": "string" - }, - { - "Name": "ContainerInfo", - "Type": "string" - }, - { - "Name": "LastActiveDate_datetime", - "Type": "DateTime" - }, - { - "Name": "RegisteredAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanFinishedAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanStartedAt_datetime", - "Type": "DateTime" - } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json index bf37c721626..7f2086c7e72 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json @@ -1,1357 +1,5 @@ { "Name":"SentinelOneThreats_CL", "Properties":[ - { - "Name": "TenantId", - "Type": "string" - }, - { - "Name": "SourceSystem", - "Type": "string" - }, - { - "Name": "MG", - "Type": "string" - }, - { - "Name": "ManagementGroupName", - "Type": "string" - }, - { - "Name": "TimeGenerated", - "Type": "datetime" - }, - { - "Name": "Computer", - "Type": "string" - }, - { - "Name": "RawData", - "Type": "string" - }, - { - "Name": "accountId_s", - "Type": "string" - }, - { - "Name": "accountName_s", - "Type": "string" - }, - { - "Name": "activityType_d", - "Type": "real" - }, - { - "Name": "createdAt_t", - "Type": "datetime" - }, - { - "Name": "data_accountName_s", - "Type": "string" - }, - { - "Name": "data_fullScopeDetails_s", - "Type": "string" - }, - { - "Name": "data_role_s", - "Type": "string" - }, - { - "Name": "data_scopeLevel_s", - "Type": "string" - }, - { - "Name": "data_scopeName_s", - "Type": "string" - }, - { - "Name": "data_siteName_s", - "Type": "string" - }, - { - "Name": "data_source_s", - "Type": "string" - }, - { - "Name": "data_userScope_s", - "Type": "string" - }, - { - "Name": "data_username_s", - "Type": "string" - }, - { - "Name": "id_s", - "Type": "string" - }, - { - "Name": "primaryDescription_s", - "Type": "string" - }, - { - "Name": "siteId_s", - "Type": "string" - }, - { - "Name": "siteName_s", - "Type": "string" - }, - { - "Name": "updatedAt_t", - "Type": "datetime" - }, - { - "Name": "userId_s", - "Type": "string" - }, - { - "Name": "event_name_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_computerMemberOf_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserDistinguishedName_s", - "Type": "string" - }, - { - "Name": "activeDirectory_lastUserMemberOf_s", - "Type": "string" - }, - { - "Name": "activeThreats_d", - "Type": "real" - }, - { - "Name": "agentVersion_s", - "Type": "string" - }, - { - "Name": "allowRemoteShell_b", - "Type": "bool" - }, - { - "Name": "appsVulnerabilityStatus_s", - "Type": "string" - }, - { - "Name": "computerName_s", - "Type": "string" - }, - { - "Name": "consoleMigrationStatus_s", - "Type": "string" - }, - { - "Name": "coreCount_d", - "Type": "real" - }, - { - "Name": "cpuCount_d", - "Type": "real" - }, - { - "Name": "cpuId_s", - "Type": "string" - }, - { - "Name": "domain_s", - "Type": "string" - }, - { - "Name": "encryptedApplications_b", - "Type": "bool" - }, - { - "Name": "externalId_s", - "Type": "string" - }, - { - "Name": "externalIp_s", - "Type": "string" - }, - { - "Name": "firewallEnabled_b", - "Type": "bool" - }, - { - "Name": "groupId_s", - "Type": "string" - }, - { - "Name": "groupIp_s", - "Type": "string" - }, - { - "Name": "groupName_s", - "Type": "string" - }, - { - "Name": "inRemoteShellSession_b", - "Type": "bool" - }, - { - "Name": "infected_b", - "Type": "bool" - }, - { - "Name": "installerType_s", - "Type": "string" - }, - { - "Name": "isActive_b", - "Type": "bool" - }, - { - "Name": "isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "isPendingUninstall_b", - "Type": "bool" - }, - { - "Name": "isUninstalled_b", - "Type": "bool" - }, - { - "Name": "isUpToDate_b", - "Type": "bool" - }, - { - "Name": "lastActiveDate_t", - "Type": "datetime" - }, - { - "Name": "lastIpToMgmt_s", - "Type": "string" - }, - { - "Name": "lastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "licenseKey_s", - "Type": "string" - }, - { - "Name": "locationEnabled_b", - "Type": "bool" - }, - { - "Name": "locationType_s", - "Type": "string" - }, - { - "Name": "locations_s", - "Type": "string" - }, - { - "Name": "machineType_s", - "Type": "string" - }, - { - "Name": "mitigationMode_s", - "Type": "string" - }, - { - "Name": "mitigationModeSuspicious_s", - "Type": "string" - }, - { - "Name": "modelName_s", - "Type": "string" - }, - { - "Name": "networkInterfaces_s", - "Type": "string" - }, - { - "Name": "networkQuarantineEnabled_b", - "Type": "bool" - }, - { - "Name": "networkStatus_s", - "Type": "string" - }, - { - "Name": "operationalState_s", - "Type": "string" - }, - { - "Name": "osArch_s", - "Type": "string" - }, - { - "Name": "osName_s", - "Type": "string" - }, - { - "Name": "osRevision_s", - "Type": "string" - }, - { - "Name": "osStartTime_t", - "Type": "datetime" - }, - { - "Name": "osType_s", - "Type": "string" - }, - { - "Name": "rangerStatus_s", - "Type": "string" - }, - { - "Name": "rangerVersion_s", - "Type": "string" - }, - { - "Name": "registeredAt_t", - "Type": "datetime" - }, - { - "Name": "remoteProfilingState_s", - "Type": "string" - }, - { - "Name": "scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "scanStatus_s", - "Type": "string" - }, - { - "Name": "threatRebootRequired_b", - "Type": "bool" - }, - { - "Name": "totalMemory_d", - "Type": "real" - }, - { - "Name": "userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "uuid_g", - "Type": "string" - }, - { - "Name": "creator_s", - "Type": "string" - }, - { - "Name": "creatorId_s", - "Type": "string" - }, - { - "Name": "inherits_b", - "Type": "bool" - }, - { - "Name": "isDefault_b", - "Type": "bool" - }, - { - "Name": "name_s", - "Type": "string" - }, - { - "Name": "registrationToken_s", - "Type": "string" - }, - { - "Name": "totalAgents_d", - "Type": "real" - }, - { - "Name": "type_s", - "Type": "string" - }, - { - "Name": "Type", - "Type": "string" - }, - { - "Name": "_ResourceId", - "Type": "string" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorDescription_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileOldPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_indicatorCategory_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_g", - "Type": "string" - }, - { - "Name": "alertInfo_dstIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_dstPort_s", - "Type": "string" - }, - { - "Name": "alertInfo_netEventDirection_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcIp_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcPort_s", - "Type": "string" - }, - { - "Name": "containerInfo_id_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_g", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryOldValueType_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsRequest_s", - "Type": "string" - }, - { - "Name": "alertInfo_dnsResponse_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryKeyPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryPath_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_g", - "Type": "string" - }, - { - "Name": "ruleInfo_description_s", - "Type": "string" - }, - { - "Name": "alertInfo_registryValue_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountDomain_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginAccountSid_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsAdministratorEquivalent_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginIsSuccessful_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginType_s", - "Type": "string" - }, - { - "Name": "alertInfo_loginsUserName_s", - "Type": "string" - }, - { - "Name": "alertInfo_srcMachineIp_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcCmdLine_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcImagePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcName_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcPid_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcSignedStatus_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_storyline_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcStorylineId_g", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcUid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_name_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osFamily_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_osRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_uuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_version_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_id_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_infected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_isDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_machineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_name_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_os_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_uuid_g", - "Type": "string" - }, - { - "Name": "alertInfo_alertId_s", - "Type": "string" - }, - { - "Name": "alertInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "alertInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_dvEventId_s", - "Type": "string" - }, - { - "Name": "alertInfo_eventType_s", - "Type": "string" - }, - { - "Name": "alertInfo_hitType_s", - "Type": "string" - }, - { - "Name": "alertInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "alertInfo_isEdr_b", - "Type": "bool" - }, - { - "Name": "alertInfo_reportedAt_t", - "Type": "datetime" - }, - { - "Name": "alertInfo_source_s", - "Type": "string" - }, - { - "Name": "alertInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "ruleInfo_id_s", - "Type": "string" - }, - { - "Name": "ruleInfo_name_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryLang_s", - "Type": "string" - }, - { - "Name": "ruleInfo_queryType_s", - "Type": "string" - }, - { - "Name": "ruleInfo_s1ql_s", - "Type": "string" - }, - { - "Name": "ruleInfo_scopeLevel_s", - "Type": "string" - }, - { - "Name": "ruleInfo_severity_s", - "Type": "string" - }, - { - "Name": "ruleInfo_treatAsThreat_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceParentProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceParentProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_commandline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashMd5_g", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha1_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileHashSha256_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_filePath_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_fileSignerIdentity_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_integrityLevel_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_name_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pid_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_pidStarttime_t", - "Type": "datetime" - }, - { - "Name": "sourceProcessInfo_storyline_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_subsystem_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_uniqueId_s", - "Type": "string" - }, - { - "Name": "sourceProcessInfo_user_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileCreatedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha1_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileHashSha256_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileId_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileIsSigned_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtFileModifiedAt_t", - "Type": "datetime" - }, - { - "Name": "targetProcessInfo_tgtFilePath_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcIntegrityLevel_s", - "Type": "string" - }, - { - "Name": "targetProcessInfo_tgtProcessStartTime_t", - "Type": "datetime" - }, - { - "Name": "agentUpdatedVersion_s", - "Type": "string" - }, - { - "Name": "agentId_s", - "Type": "string" - }, - { - "Name": "hash_s", - "Type": "string" - }, - { - "Name": "osFamily_s", - "Type": "string" - }, - { - "Name": "threatId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDetectionState_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV4_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentIpV6_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentLastLoggedInUserName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentRegisteredAt_t", - "Type": "datetime" - }, - { - "Name": "agentDetectionInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_externalIp_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentDetectionInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_accountName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_activeThreats_d", - "Type": "real" - }, - { - "Name": "agentRealtimeInfo_agentComputerName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentDomain_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentInfected_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsActive_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentIsDecommissioned_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_agentMachineType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentMitigationMode_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentNetworkStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsRevision_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentOsType_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentUuid_g", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_agentVersion_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_groupName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_networkInterfaces_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_operationalState_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "agentRealtimeInfo_scanFinishedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStartedAt_t", - "Type": "datetime" - }, - { - "Name": "agentRealtimeInfo_scanStatus_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteId_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_siteName_s", - "Type": "string" - }, - { - "Name": "agentRealtimeInfo_userActionsNeeded_s", - "Type": "string" - }, - { - "Name": "indicators_s", - "Type": "string" - }, - { - "Name": "mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_analystVerdictDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_automaticallyResolved_b", - "Type": "bool" - }, - { - "Name": "threatInfo_certificateId_s", - "Type": "string" - }, - { - "Name": "threatInfo_classification_s", - "Type": "string" - }, - { - "Name": "threatInfo_classificationSource_s", - "Type": "string" - }, - { - "Name": "threatInfo_cloudFilesHashVerdict_s", - "Type": "string" - }, - { - "Name": "threatInfo_collectionId_s", - "Type": "string" - }, - { - "Name": "threatInfo_confidenceLevel_s", - "Type": "string" - }, - { - "Name": "threatInfo_createdAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_detectionEngines_s", - "Type": "string" - }, - { - "Name": "threatInfo_detectionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_engines_s", - "Type": "string" - }, - { - "Name": "threatInfo_externalTicketExists_b", - "Type": "bool" - }, - { - "Name": "threatInfo_failedActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_fileExtension_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtensionType_s", - "Type": "string" - }, - { - "Name": "threatInfo_filePath_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileSize_d", - "Type": "real" - }, - { - "Name": "threatInfo_fileVerificationType_s", - "Type": "string" - }, - { - "Name": "threatInfo_identifiedAt_t", - "Type": "datetime" - }, - { - "Name": "threatInfo_incidentStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_incidentStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedBy_s", - "Type": "string" - }, - { - "Name": "threatInfo_initiatedByDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_isFileless_b", - "Type": "bool" - }, - { - "Name": "threatInfo_isValidCertificate_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigatedPreemptively_b", - "Type": "bool" - }, - { - "Name": "threatInfo_mitigationStatus_s", - "Type": "string" - }, - { - "Name": "threatInfo_mitigationStatusDescription_s", - "Type": "string" - }, - { - "Name": "threatInfo_originatorProcess_s", - "Type": "string" - }, - { - "Name": "threatInfo_pendingActions_b", - "Type": "bool" - }, - { - "Name": "threatInfo_processUser_s", - "Type": "string" - }, - { - "Name": "threatInfo_publisherName_s", - "Type": "string" - }, - { - "Name": "threatInfo_reachedEventsLimit_b", - "Type": "bool" - }, - { - "Name": "threatInfo_rebootRequired_b", - "Type": "bool" - }, - { - "Name": "threatInfo_sha1_s", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatId_s", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_s", - "Type": "string" - }, - { - "Name": "threatInfo_updatedAt_t", - "Type": "datetime" - }, - { - "Name": "whiteningOptions_s", - "Type": "string" - }, - { - "Name": "threatInfo_maliciousProcessArguments_s", - "Type": "string" - }, - { - "Name": "threatInfo_fileExtension_g", - "Type": "string" - }, - { - "Name": "threatInfo_threatName_g", - "Type": "string" - }, - { - "Name": "threatInfo_storyline_g", - "Type": "string" - }, - { - "Name": "activityUuid_g", - "Type": "string" - }, - { - "Name": "secondaryDescription_s", - "Type": "string" - }, - { - "Name": "DataFields_s", - "Type": "string" - }, - { - "Name": "description_s", - "Type": "string" - }, - { - "Name": "comments_s", - "Type": "string" - }, - { - "Name": "detectionState_s", - "Type": "string" - }, - { - "Name": "firstFullModeTime_t", - "Type": "datetime" - }, - { - "Name": "fullDiskScanLastUpdatedAt_t", - "Type": "datetime" - }, - { - "Name": "serialNumber_s", - "Type": "string" - }, - { - "Name": "showAlertIcon_b", - "Type": "bool" - }, - { - "Name": "tags_sentinelone_s", - "Type": "string" - }, - { - "Name": "osUsername_s", - "Type": "string" - }, - { - "Name": "scanAbortedAt_t", - "Type": "datetime" - }, - { - "Name": "_ItemId", - "Type": "string" - }, - { - "Name": "Data", - "Type": "string" - }, - { - "Name": "SourceParentProcessInfo", - "Type": "string" - }, - { - "Name": "Description", - "Type": "string" - }, - { - "Name": "ActiveDirectory", - "Type": "string" - }, - { - "Name": "Domain", - "Type": "string" - }, - { - "Name": "ModelName", - "Type": "string" - }, - { - "Name": "OsName", - "Type": "string" - }, - { - "Name": "SourceProcessInfo", - "Type": "string" - }, - { - "Name": "RuleInfo", - "Type": "string" - }, - { - "Name": "TargetProcessInfo", - "Type": "string" - }, - { - "Name": "ContainerInfo", - "Type": "string" - }, - { - "Name": "LastActiveDate_datetime", - "Type": "DateTime" - }, - { - "Name": "RegisteredAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanFinishedAt_datetime", - "Type": "DateTime" - }, - { - "Name": "ScanStartedAt_datetime", - "Type": "DateTime" - } ] } \ No newline at end of file From 299f4c0781132adb380cf76756f3b19ac7a94ea3 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Thu, 12 Dec 2024 11:29:52 +0200 Subject: [PATCH 16/22] Adding table Schema to solve testing --- .../SentinelOneActivities_CL.json | 89 ++++++ .../CustomTables/SentinelOneAgents_CL.json | 275 +++++++++++++++++- .../CustomTables/SentinelOneAlerts_CL.json | 35 ++- .../CustomTables/SentinelOneGroups_CL.json | 60 ++++ .../CustomTables/SentinelOneThreats_CL.json | 185 ++++++++++++ 5 files changed, 642 insertions(+), 2 deletions(-) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json index be5f54b7da6..363418fcbc0 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneActivities_CL.json @@ -1,5 +1,94 @@ { "Name":"SentinelOneActivities_CL", "Properties":[ + { + "name": "AgentUpdatedVersion", + "type": "string" + }, + { + "name": "UserId", + "type": "string" + }, + { + "name": "ThreatId", + "type": "string" + }, + { + "name": "PrimaryDescription", + "type": "string" + }, + { + "name": "SecondaryDescription", + "type": "string" + }, + { + "name": "Id", + "type": "string" + }, + { + "name": "GroupId", + "type": "string" + }, + { + "name": "CreatedAt", + "type": "datetime" + }, + { + "name": "AccountName", + "type": "string" + }, + { + "name": "Data", + "type": "string" + }, + { + "name": "AgentId", + "type": "string" + }, + { + "name": "Hash", + "type": "string" + }, + { + "name": "UpdatedAt", + "type": "datetime" + }, + { + "name": "Description", + "type": "string" + }, + { + "name": "ActivityUuid", + "type": "string" + }, + { + "name": "SiteId", + "type": "string" + }, + { + "name": "ActivityType", + "type": "real" + }, + { + "name": "SiteName", + "type": "string" + }, + { + "name": "AccountId", + "type": "string" + }, + { + "name": "OsFamily", + "type": "string" + }, + { + "name": "GroupName", + "type": "string" + }, + { + "name": "Comments", + "type": "string" + } ] + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json index 29c412edee2..09b0d1e3071 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json @@ -1,6 +1,279 @@ { "Name":"SentinelOneAgents_CL", "Properties":[ - + { + "name": "Uuid", + "type": "string" + }, + { + "name": "MitigationMode", + "type": "string" + }, + { + "name": "NetworkStatus", + "type": "string" + }, + { + "name": "InstallerType", + "type": "string" + }, + { + "name": "MitigationModeSuspicious", + "type": "string" + }, + { + "name": "IsPendingUninstall", + "type": "boolean" + }, + { + "name": "InRemoteShellSession", + "type": "boolean" + }, + { + "name": "LastLoggedInUserName", + "type": "string" + }, + { + "name": "OsRevision", + "type": "string" + }, + { + "name": "OsArch", + "type": "string" + }, + { + "name": "Id", + "type": "string" + }, + { + "name": "ComputerName", + "type": "string" + }, + { + "name": "TotalMemory", + "type": "real" + }, + { + "name": "CreatedAt", + "type": "datetime" + }, + { + "name": "GroupId", + "type": "string" + }, + { + "name": "LastActiveDate", + "type": "datetime" + }, + { + "name": "FullDiskScanLastUpdatedAt", + "type": "datetime" + }, + { + "name": "AllowRemoteShell", + "type": "boolean" + }, + { + "name": "RangerVersion", + "type": "string" + }, + { + "name": "AccountName", + "type": "string" + }, + { + "name": "ScanStatus", + "type": "string" + }, + { + "name": "Domain", + "type": "string" + }, + { + "name": "MissingPermissions", + "type": "string" + }, + { + "name": "IsActive", + "type": "boolean" + }, + { + "name": "GroupIp", + "type": "string" + }, + { + "name": "ThreatRebootRequired", + "type": "boolean" + }, + { + "name": "GroupUpdatedAt", + "type": "datetime" + }, + { + "name": "ExternalId", + "type": "string" + }, + { + "name": "MachineType", + "type": "string" + }, + { + "name": "RegisteredAt", + "type": "datetime" + }, + { + "name": "AppsVulnerabilityStatus", + "type": "string" + }, + { + "name": "CoreCount", + "type": "real" + }, + { + "name": "Locations", + "type": "string" + }, + { + "name": "ScanFinishedAt", + "type": "datetime" + }, + { + "name": "UpdatedAt", + "type": "datetime" + }, + { + "name": "ExternalIp", + "type": "string" + }, + { + "name": "LocationType", + "type": "string" + }, + { + "name": "PolicyUpdatedAt", + "type": "datetime" + }, + { + "name": "IsDecommissioned", + "type": "boolean" + }, + { + "name": "CpuId", + "type": "string" + }, + { + "name": "NetworkInterfaces", + "type": "string" + }, + { + "name": "IsUninstalled", + "type": "boolean" + }, + { + "name": "ActiveDirectory", + "type": "string" + }, + { + "name": "ScanStartedAt", + "type": "datetime" + }, + { + "name": "RangerStatus", + "type": "string" + }, + { + "name": "SiteId", + "type": "string" + }, + { + "name": "AgentVersion", + "type": "string" + }, + { + "name": "OsUsername", + "type": "string" + }, + { + "name": "EncryptedApplications", + "type": "boolean" + }, + { + "name": "LastIpToMgmt", + "type": "string" + }, + { + "name": "CpuCount", + "type": "real" + }, + { + "name": "ScanAbortedAt", + "type": "datetime" + }, + { + "name": "SiteName", + "type": "string" + }, + { + "name": "ActiveThreats", + "type": "real" + }, + { + "name": "Infected", + "type": "boolean" + }, + { + "name": "ConsoleMigrationStatus", + "type": "string" + }, + { + "name": "OsType", + "type": "string" + + }, + { + "name": "AccountId", + "type": "string" + }, + { + "name": "GroupName", + "type": "string" + + }, + { + "name": "OsName", + "type": "string" + }, + { + "name": "IsUpToDate", + "type": "boolean" + }, + { + "name": "LicenseKey", + "type": "string" + }, + { + "name": "UserActionsNeeded", + "type": "string" + }, + { + "name": "ModelName", + "type": "string" + }, + { + "name": "OsStartTime", + "type": "datetime" + }, + { + "name": "NetworkQuarantineEnabled", + "type": "boolean" + }, + { + "name": "OperationalStateExpiration", + "type": "string" + }, + { + "name": "RemoteProfilingState", + "type": "string" + } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json index 5bc4ea14af0..1970c2d8d8c 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlerts_CL.json @@ -1,4 +1,37 @@ { "Name":"SentinelOneAlerts_CL", - "Properties":[] + "Properties":[ + { + "name": "SourceProcessInfo", + "type": "string" + }, + { + "name": "AlertInfo", + "type": "string" + }, + { + "name": "AgentDetectionInfo", + "type": "string" + }, + { + "name": "RuleInfo", + "type": "string" + }, + { + "name": "ContainerInfo", + "type": "string" + }, + { + "name": "SourceParentProcessInfo", + "type": "string" + }, + { + "name": "TargetProcessInfo", + "type": "string" + }, + { + "name": "KubernetesInfo", + "type": "string" + } + ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json index 870c8c5db87..f2409b0ee33 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneGroups_CL.json @@ -1,5 +1,65 @@ { "Name":"SentinelOneGroups_CL", "Properties":[ + { + "name": "Creator", + "type": "string" + }, + { + "name": "RegistrationToken", + "type": "string" + }, + { + "name": "IsDefault", + "type": "string" + }, + { + "name": "UpdatedAt", + "type": "datetime" + }, + { + "name": "TotalAgents", + "type": "string" + }, + { + "name": "Inherits", + "type": "string" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Rank", + "type": "real" + }, + { + "name": "FilterName", + "type": "string" + }, + { + "name": "GroupType", + "type": "string" + }, + { + "name": "Id", + "type": "string" + }, + { + "name": "CreatedAt", + "type": "datetime" + }, + { + "name": "CreatorId", + "type": "string" + }, + { + "name": "SiteId", + "type": "string" + }, + { + "name": "FilterId", + "type": "string" + } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json index 7f2086c7e72..6e6fadf8774 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneThreats_CL.json @@ -1,5 +1,190 @@ { "Name":"SentinelOneThreats_CL", "Properties":[ + { + "name": "FilePath", + "type": "string" + }, + { + "name": "CloudVerdict", + "type": "string" + }, + { + "name": "MitigationMode", + "type": "string" + }, + { + "name": "AgentOsType", + "type": "string" + }, + { + "name": "AgentInfected", + "type": "boolean" + }, + { + "name": "InitiatingUserId", + "type": "string" + }, + { + "name": "Engines", + "type": "string" + }, + { + "name": "Id", + "type": "string" + }, + { + "name": "FileExtensionType", + "type": "string" + }, + { + "name": "MitigationStatus", + "type": "string" + }, + { + "name": "AgentDomain", + "type": "string" + }, + { + "name": "CreatedAt", + "type": "datetime" + }, + { + "name": "IsCertValid", + "type": "boolean" + }, + { + "name": "FileDisplayName", + "type": "string" + }, + { + "name": "AgentIp", + "type": "string" + }, + { + "name": "AccountName", + "type": "string" + }, + { + "name": "AgentMachineType", + "type": "string" + }, + { + "name": "FileVerificationType", + "type": "string" + }, + { + "name": "Indicators", + "type": "string" + }, + { + "name": "InitiatedByDescription", + "type": "string" + }, + { + "name": "AutomaticallyResolved", + "type": "boolean" + }, + { + "name": "AgentId", + "type": "string" + }, + { + "name": "ProcessArguments", + "type": "string" + }, + { + "name": "MitigationReport", + "type": "string" + }, + { + "name": "ThreatName", + "type": "string" + }, + { + "name": "ClassificationSource", + "type": "string" + }, + { + "name": "UpdatedAt", + "type": "datetime" + }, + { + "name": "InitiatedBy", + "type": "string" + }, + { + "name": "AgentNetworkStatus", + "type": "string" + }, + { + "name": "AgentComputerName", + "type": "string" + }, + { + "name": "Classification", + "type": "string" + }, + { + "name": "CertId", + "type": "string" + }, + { + "name": "AgentIsActive", + "type": "boolean" + }, + { + "name": "SiteId", + "type": "string" + }, + { + "name": "AgentVersion", + "type": "string" + }, + { + "name": "FileContentHash", + "type": "string" + }, + { + "name": "WhiteningOptions", + "type": "string" + }, + { + "name": "Username", + "type": "string" + }, + + { + "name": "FileSha256", + "type": "string" + }, + { + "name": "AgentIsDecommissioned", + "type": "boolean" + }, + { + "name": "CollectionId", + "type": "string" + }, + { + "name": "SiteName", + "type": "string" + }, + { + "name": "AccountId", + "type": "string" + }, + { + "name": "ThreatInfo", + "type": "dynamic" + }, + { + "name": "AgentDetectionInfo", + "type": "dynamic" + }, + { + "name": "AgentRealtimeInfo", + "type": "dynamic" + } ] } \ No newline at end of file From efb95d300fd006535c13f3c7ec96009e2f4d53dc Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Thu, 12 Dec 2024 11:39:29 +0200 Subject: [PATCH 17/22] Adding table Schema to solve testing --- .../SentinelOne/Parsers/SentinelOne.yaml | 556 +++++++++--------- 1 file changed, 278 insertions(+), 278 deletions(-) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 3a6b89b74b1..93f5993de5b 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -1,4 +1,4 @@ - id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 +id: e1cb35b3-ee01-4c8f-a361-0850d0554ab6 Function: Title: Parser for SentinelOne Version: '1.0.1' @@ -7,283 +7,283 @@ Category: Microsoft Sentinel Parser FunctionName: SentinelOne FunctionAlias: SentinelOne FunctionQuery: | - let SentinelOne_view = view () { - let SentinelOneV2_Empty = datatable( - AccountId:string, - AccountName:string, - ActivityType:real , - EventCreationTime:datetime, - DataAccountName:string, - DataFullScopeDetails:string, - DataScopeLevel:string, - DataScopeName:string, - DataSiteId:int, - SecondaryDescription:string , - DataSiteName:string, - SourceProcessInfo:string, - SrcUserName:string, - EventId:string, - EventOriginalMessage:string, - SiteId:string, - SiteName:string, - UpdatedAt:datetime , - UserIdentity:string, - EventType:string, - DataByUser:string, - DataRole:string, - DataUserScope:string, - EventTypeDetailed:string, - DataSource:string, - DataExpiryDateStr:string, - DataExpiryTime:int, - DataNetworkquarantine:bool, - DataRuleCreationTime:int, - DataRuleDescription:string, - DataRuleExpirationMode:string, - DataRuleId:int, - DataRuleName:string, - DataRuleQueryDetails:string, - DataRuleQueryType:string, - DataRuleSeverity:string, - DataScopeId:int, - DataStatus:string, - DataSystemUser:int, - DataTreatasthreat:string, - DataUserId:int, - RuleInfo:string, - DataUserName:string, - EventSubStatus:string, - AgentId:string, - DataComputerName:string, - DataExternalIp:string, - DataGroupName:string, - DataSystem:bool, - DataUuid:string, - GroupId:string, - GroupName:string, - DataGroup:string, - UserId:string , - DataOptionalGroups:string, - DataCreatedAt:string, - DataDownloadUrl:string, - DataFilePath:string, - DataFilename:string, - DataUploadedFilename:string, - Comments:string, - DataNewValue:string, - DataPolicyId:string, - DataPolicyName:string, - DataNewValueb:string, - DataShouldReboot:bool, - DataRoleName:string, - DataScopeLevelName:string, - ActiveDirectoryComputerDistinguishedName:string, - ActiveDirectoryComputerMemberOf:string, - ActiveDirectoryLastUserDistinguishedName:string, - ActiveDirectoryLastUserMemberOf:string, - ActiveThreats:int, - AgentVersion:string, - AllowRemoteShell:bool, - AppsVulnerabilityStatus:string, - ComputerName:string, - ConsoleMigrationStatus:string, - CoreCount:int, - CpuCount:int, - CpuId:string, - SrcDvcDomain:string, - EncryptedApplications:bool, - ExternalId:string, - ExternalIp:string, - FirewallEnabled:bool, - GroupIp:string, - InRemoteShellSession:bool, - Infected:bool, - InstallerType:string, - IsActive:bool, - IsDecommissioned:bool, - IsPendingUninstall:bool, - IsUninstalled:bool, - IsUpToDate:bool, - LastActiveDate:string, - TargetProcessInfo:string , - LastIpToMgmt:string, - LastLoggedInUserName:string, - LicenseKey:string, - LocationEnabled:bool, - LocationType:string, - Locations:string, - MachineType:string, - MitigationMode:string, - MitigationModeSuspicious:string, - SrcDvcModelName:string, - NetworkInterfaces:string, - NetworkQuarantineEnabled:bool, - NetworkStatus:string, - OperationalState:string, - OsArch:string, - SrcDvcOs:string, - OsRevision:string, - OsStartTime:datetime , - OsType:string, - RangerStatus:string, - RangerVersion:string, - RegisteredAt:string, - RemoteProfilingState:string, - ScanFinishedAt:string, - ScanStartedAt:string, - ScanStatus:string, - ThreatRebootRequired:bool, - TotalMemory:int, - SourceParentProcessInfo:string , - UserActionsNeeded:string, - Uuid:string, - Creator:string, - ContainerInfo:string, - CreatorId:string, - Inherits:string , - IsDefault:string , - Name:string, - RegistrationToken:string, - AlertInfo:string, - PrimaryDescription:string , - TotalAgents:real , - CreatedAt:datetime , - Id:string, - Type:string - )[]; - let SentinelOneV1_Empty = datatable ( - accountId_s:string, - accountName_s:string, - activityType_d:real, - createdAt_t:datetime , - data_accountName_s:string, - data_fullScopeDetails_s:string, - data_scopeLevel_s:string, - data_scopeName_s:string, - data_siteId_d:int, - data_siteName_s:string, - data_username_s:string, - id_s:string, - primaryDescription_s:string, - siteId_s:string, - siteName_s:string, - updatedAt_t:datetime , - userId_s:string, - event_name_s:string, - data_byUser_s:string, - data_role_s:string, - data_userScope_s:string, - description_s:string, - data_source_s:string, - data_expiryDateStr_s:string, - data_expiryTime_d:int, - data_networkquarantine_b:bool, - data_ruleCreationTime_d:int, - data_ruleDescription_s:string, - data_ruleExpirationMode_s:string, - data_ruleId_d:int, - data_ruleName_s:string, - data_ruleQueryDetails_s:string, - data_ruleQueryType_s:string, - data_ruleSeverity_s:string, - data_scopeId_d:int, - data_status_s:string, - data_systemUser_d:int, - data_treatasthreat_s:string, - data_userId_d:int, - data_userName_s:string, - secondaryDescription_s:string, - agentId_s:string, - data_computerName_s:string, - data_externalIp_s:string, - data_groupName_s:string, - data_system_b:bool, - data_uuid_g:string, - groupId_s:string, - groupName_s:string, - data_group_s:string, - data_optionalGroups_s:string, - data_createdAt_t:string, - data_downloadUrl_s:string, - data_filePath_s:string, - data_filename_s:string, - data_uploadedFilename_s:string, - comments_s:string, - data_newValue_s:string, - data_policy_id_s:string, - data_policyName_s:string, - data_newValue_b:bool, - data_shouldReboot_b:bool, - data_roleName_s:string, - data_scopeLevelName_s:string, - activeDirectory_computerDistinguishedName_s:string, - activeDirectory_computerMemberOf_s:string, - activeDirectory_lastUserDistinguishedName_s:string, - activeDirectory_lastUserMemberOf_s:string, - activeThreats_d:real, - agentVersion_s:string, - allowRemoteShell_b:bool, - appsVulnerabilityStatus_s:string, - computerName_s:string, - consoleMigrationStatus_s:string, - coreCount_d:real, - cpuCount_d:real , - cpuId_s:string, - domain_s:string, - encryptedApplications_b:bool, - externalId_s:string, - externalIp_s:string, - firewallEnabled_b:bool, - groupIp_s:string, - inRemoteShellSession_b:bool, - infected_b:bool, - installerType_s:string, - isActive_b:bool, - isDecommissioned_b:bool, - isPendingUninstall_b:bool, - isUninstalled_b:bool, - isUpToDate_b:bool, - lastActiveDate_t:string, - lastIpToMgmt_s:string, - lastLoggedInUserName_s:string, - licenseKey_s:string, - locationEnabled_b:bool, - locationType_s:string, - locations_s:string, - machineType_s:string, - mitigationMode_s:string, - mitigationModeSuspicious_s:string, - modelName_s:string, - networkInterfaces_s:string, - networkQuarantineEnabled_b:bool, - networkStatus_s:string, - operationalState_s:string, - osArch_s:string, - osName_s:string, - osRevision_s:string, - osStartTime_t:datetime , - osType_s:string, - rangerStatus_s:string, - rangerVersion_s:string, - registeredAt_t:string, - remoteProfilingState_s:string, - scanFinishedAt_t:string, - scanStartedAt_t:string, - scanStatus_s:string, - threatRebootRequired_b:bool, - totalMemory_d:real , - userActionsNeeded_s:string, - uuid_g:string, - creator_s:string, - creatorId_s:string, - inherits_b:string , - isDefault_b:string , - name_s:string, - registrationToken_s:string, - totalAgents_d:real , - AlertInfo:string, - type_s:string - )[]; + let SentinelOne_view = view () { + let SentinelOneV2_Empty = datatable( + AccountId:string, + AccountName:string, + ActivityType:real , + EventCreationTime:datetime, + DataAccountName:string, + DataFullScopeDetails:string, + DataScopeLevel:string, + DataScopeName:string, + DataSiteId:int, + SecondaryDescription:string , + DataSiteName:string, + SourceProcessInfo:string, + SrcUserName:string, + EventId:string, + EventOriginalMessage:string, + SiteId:string, + SiteName:string, + UpdatedAt:datetime , + UserIdentity:string, + EventType:string, + DataByUser:string, + DataRole:string, + DataUserScope:string, + EventTypeDetailed:string, + DataSource:string, + DataExpiryDateStr:string, + DataExpiryTime:int, + DataNetworkquarantine:bool, + DataRuleCreationTime:int, + DataRuleDescription:string, + DataRuleExpirationMode:string, + DataRuleId:int, + DataRuleName:string, + DataRuleQueryDetails:string, + DataRuleQueryType:string, + DataRuleSeverity:string, + DataScopeId:int, + DataStatus:string, + DataSystemUser:int, + DataTreatasthreat:string, + DataUserId:int, + RuleInfo:string, + DataUserName:string, + EventSubStatus:string, + AgentId:string, + DataComputerName:string, + DataExternalIp:string, + DataGroupName:string, + DataSystem:bool, + DataUuid:string, + GroupId:string, + GroupName:string, + DataGroup:string, + UserId:string , + DataOptionalGroups:string, + DataCreatedAt:string, + DataDownloadUrl:string, + DataFilePath:string, + DataFilename:string, + DataUploadedFilename:string, + Comments:string, + DataNewValue:string, + DataPolicyId:string, + DataPolicyName:string, + DataNewValueb:string, + DataShouldReboot:bool, + DataRoleName:string, + DataScopeLevelName:string, + ActiveDirectoryComputerDistinguishedName:string, + ActiveDirectoryComputerMemberOf:string, + ActiveDirectoryLastUserDistinguishedName:string, + ActiveDirectoryLastUserMemberOf:string, + ActiveThreats:int, + AgentVersion:string, + AllowRemoteShell:bool, + AppsVulnerabilityStatus:string, + ComputerName:string, + ConsoleMigrationStatus:string, + CoreCount:int, + CpuCount:int, + CpuId:string, + SrcDvcDomain:string, + EncryptedApplications:bool, + ExternalId:string, + ExternalIp:string, + FirewallEnabled:bool, + GroupIp:string, + InRemoteShellSession:bool, + Infected:bool, + InstallerType:string, + IsActive:bool, + IsDecommissioned:bool, + IsPendingUninstall:bool, + IsUninstalled:bool, + IsUpToDate:bool, + LastActiveDate:string, + TargetProcessInfo:string , + LastIpToMgmt:string, + LastLoggedInUserName:string, + LicenseKey:string, + LocationEnabled:bool, + LocationType:string, + Locations:string, + MachineType:string, + MitigationMode:string, + MitigationModeSuspicious:string, + SrcDvcModelName:string, + NetworkInterfaces:string, + NetworkQuarantineEnabled:bool, + NetworkStatus:string, + OperationalState:string, + OsArch:string, + SrcDvcOs:string, + OsRevision:string, + OsStartTime:datetime , + OsType:string, + RangerStatus:string, + RangerVersion:string, + RegisteredAt:string, + RemoteProfilingState:string, + ScanFinishedAt:string, + ScanStartedAt:string, + ScanStatus:string, + ThreatRebootRequired:bool, + TotalMemory:int, + SourceParentProcessInfo:string , + UserActionsNeeded:string, + Uuid:string, + Creator:string, + ContainerInfo:string, + CreatorId:string, + Inherits:string , + IsDefault:string , + Name:string, + RegistrationToken:string, + AlertInfo:string, + PrimaryDescription:string , + TotalAgents:real , + CreatedAt:datetime , + Id:string, + Type:string + )[]; + let SentinelOneV1_Empty = datatable ( + accountId_s:string, + accountName_s:string, + activityType_d:real, + createdAt_t:datetime , + data_accountName_s:string, + data_fullScopeDetails_s:string, + data_scopeLevel_s:string, + data_scopeName_s:string, + data_siteId_d:int, + data_siteName_s:string, + data_username_s:string, + id_s:string, + primaryDescription_s:string, + siteId_s:string, + siteName_s:string, + updatedAt_t:datetime , + userId_s:string, + event_name_s:string, + data_byUser_s:string, + data_role_s:string, + data_userScope_s:string, + description_s:string, + data_source_s:string, + data_expiryDateStr_s:string, + data_expiryTime_d:int, + data_networkquarantine_b:bool, + data_ruleCreationTime_d:int, + data_ruleDescription_s:string, + data_ruleExpirationMode_s:string, + data_ruleId_d:int, + data_ruleName_s:string, + data_ruleQueryDetails_s:string, + data_ruleQueryType_s:string, + data_ruleSeverity_s:string, + data_scopeId_d:int, + data_status_s:string, + data_systemUser_d:int, + data_treatasthreat_s:string, + data_userId_d:int, + data_userName_s:string, + secondaryDescription_s:string, + agentId_s:string, + data_computerName_s:string, + data_externalIp_s:string, + data_groupName_s:string, + data_system_b:bool, + data_uuid_g:string, + groupId_s:string, + groupName_s:string, + data_group_s:string, + data_optionalGroups_s:string, + data_createdAt_t:string, + data_downloadUrl_s:string, + data_filePath_s:string, + data_filename_s:string, + data_uploadedFilename_s:string, + comments_s:string, + data_newValue_s:string, + data_policy_id_s:string, + data_policyName_s:string, + data_newValue_b:bool, + data_shouldReboot_b:bool, + data_roleName_s:string, + data_scopeLevelName_s:string, + activeDirectory_computerDistinguishedName_s:string, + activeDirectory_computerMemberOf_s:string, + activeDirectory_lastUserDistinguishedName_s:string, + activeDirectory_lastUserMemberOf_s:string, + activeThreats_d:real, + agentVersion_s:string, + allowRemoteShell_b:bool, + appsVulnerabilityStatus_s:string, + computerName_s:string, + consoleMigrationStatus_s:string, + coreCount_d:real, + cpuCount_d:real , + cpuId_s:string, + domain_s:string, + encryptedApplications_b:bool, + externalId_s:string, + externalIp_s:string, + firewallEnabled_b:bool, + groupIp_s:string, + inRemoteShellSession_b:bool, + infected_b:bool, + installerType_s:string, + isActive_b:bool, + isDecommissioned_b:bool, + isPendingUninstall_b:bool, + isUninstalled_b:bool, + isUpToDate_b:bool, + lastActiveDate_t:string, + lastIpToMgmt_s:string, + lastLoggedInUserName_s:string, + licenseKey_s:string, + locationEnabled_b:bool, + locationType_s:string, + locations_s:string, + machineType_s:string, + mitigationMode_s:string, + mitigationModeSuspicious_s:string, + modelName_s:string, + networkInterfaces_s:string, + networkQuarantineEnabled_b:bool, + networkStatus_s:string, + operationalState_s:string, + osArch_s:string, + osName_s:string, + osRevision_s:string, + osStartTime_t:datetime , + osType_s:string, + rangerStatus_s:string, + rangerVersion_s:string, + registeredAt_t:string, + remoteProfilingState_s:string, + scanFinishedAt_t:string, + scanStartedAt_t:string, + scanStatus_s:string, + threatRebootRequired_b:bool, + totalMemory_d:real , + userActionsNeeded_s:string, + uuid_g:string, + creator_s:string, + creatorId_s:string, + inherits_b:string , + isDefault_b:string , + name_s:string, + registrationToken_s:string, + totalAgents_d:real , + AlertInfo:string, + type_s:string + )[]; let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty | extend EventVendor="SentinelOne", From f122e206971e6b1b792067e4baeddead2319dbc4 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Thu, 12 Dec 2024 12:22:52 +0200 Subject: [PATCH 18/22] Adding table Schema to solve testing --- .../CustomTables/SentinelOneAgents_CL.json | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json index 09b0d1e3071..0fd8fec16e3 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAgents_CL.json @@ -23,11 +23,11 @@ }, { "name": "IsPendingUninstall", - "type": "boolean" + "type": "bool" }, { "name": "InRemoteShellSession", - "type": "boolean" + "type": "bool" }, { "name": "LastLoggedInUserName", @@ -71,7 +71,7 @@ }, { "name": "AllowRemoteShell", - "type": "boolean" + "type": "bool" }, { "name": "RangerVersion", @@ -95,7 +95,7 @@ }, { "name": "IsActive", - "type": "boolean" + "type": "bool" }, { "name": "GroupIp", @@ -103,7 +103,7 @@ }, { "name": "ThreatRebootRequired", - "type": "boolean" + "type": "bool" }, { "name": "GroupUpdatedAt", @@ -155,7 +155,7 @@ }, { "name": "IsDecommissioned", - "type": "boolean" + "type": "bool" }, { "name": "CpuId", @@ -167,7 +167,7 @@ }, { "name": "IsUninstalled", - "type": "boolean" + "type": "bool" }, { "name": "ActiveDirectory", @@ -195,7 +195,7 @@ }, { "name": "EncryptedApplications", - "type": "boolean" + "type": "bool" }, { "name": "LastIpToMgmt", @@ -219,7 +219,7 @@ }, { "name": "Infected", - "type": "boolean" + "type": "bool" }, { "name": "ConsoleMigrationStatus", @@ -245,7 +245,7 @@ }, { "name": "IsUpToDate", - "type": "boolean" + "type": "bool" }, { "name": "LicenseKey", @@ -261,11 +261,11 @@ }, { "name": "OsStartTime", - "type": "datetime" + "type": "DateTime" }, { "name": "NetworkQuarantineEnabled", - "type": "boolean" + "type": "bool" }, { "name": "OperationalStateExpiration", From 7e08e7abe65bb7b2105ac575d473a2e0f3ca2c4d Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Thu, 12 Dec 2024 12:34:35 +0200 Subject: [PATCH 19/22] Adding table Schema to solve testing --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 93f5993de5b..f58f4fc683d 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -487,6 +487,9 @@ FunctionQuery: | SrcDvcDomain=Domain, AlertInfo=tostring(AlertInfo), FirewallEnabled=column_ifexists('FirewallEnabled',''), + IsUninstalled=column_ifexists('IsUninstalled',''), + EncryptedApplications=column_ifexists('EncryptedApplications',''), + AllowRemoteShell=column_ifexists('AllowRemoteShell',''), LocationEnabled=column_ifexists('LocationEnabled',''), SrcDvcModelName=ModelName, NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''), From 6dc4d2c9efe47c83a04c54e2da74d36754296526 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Thu, 12 Dec 2024 12:38:50 +0200 Subject: [PATCH 20/22] Adding table Schema to solve testing --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index f58f4fc683d..54abaeaf391 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -489,6 +489,13 @@ FunctionQuery: | FirewallEnabled=column_ifexists('FirewallEnabled',''), IsUninstalled=column_ifexists('IsUninstalled',''), EncryptedApplications=column_ifexists('EncryptedApplications',''), + OsStartTime=column_ifexists('OsStartTime',''), + InRemoteShellSession=column_ifexists('InRemoteShellSession',''), + IsPendingUninstall=column_ifexists('IsPendingUninstall',''), + IsUpToDate=column_ifexists('IsUpToDate',''), + IsDecommissioned=column_ifexists('IsDecommissioned',''), + IsActive=column_ifexists('IsActive',''), + Infected=column_ifexists('Infected',''), AllowRemoteShell=column_ifexists('AllowRemoteShell',''), LocationEnabled=column_ifexists('LocationEnabled',''), SrcDvcModelName=ModelName, From eb0cc15c00836f3ff983726d3c1b4c01a39d6dcd Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Thu, 12 Dec 2024 13:34:34 +0200 Subject: [PATCH 21/22] Adding table Schema to solve testing --- Solutions/SentinelOne/Parsers/SentinelOne.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/Solutions/SentinelOne/Parsers/SentinelOne.yaml b/Solutions/SentinelOne/Parsers/SentinelOne.yaml index 54abaeaf391..d42d2197634 100644 --- a/Solutions/SentinelOne/Parsers/SentinelOne.yaml +++ b/Solutions/SentinelOne/Parsers/SentinelOne.yaml @@ -491,6 +491,7 @@ FunctionQuery: | EncryptedApplications=column_ifexists('EncryptedApplications',''), OsStartTime=column_ifexists('OsStartTime',''), InRemoteShellSession=column_ifexists('InRemoteShellSession',''), + ThreatRebootRequired=column_ifexists('ThreatRebootRequired',''), IsPendingUninstall=column_ifexists('IsPendingUninstall',''), IsUpToDate=column_ifexists('IsUpToDate',''), IsDecommissioned=column_ifexists('IsDecommissioned',''), From 7c7e58d16e094fedb580a53cc26ce526a7f1865f Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Thu, 12 Dec 2024 17:54:23 +0530 Subject: [PATCH 22/22] Solution packaged --- Solutions/SentinelOne/Package/3.0.3.zip | Bin 30963 -> 30928 bytes .../SentinelOne/Package/mainTemplate.json | 76 ++++++++---------- Solutions/SentinelOne/ReleaseNotes.md | 5 +- 3 files changed, 38 insertions(+), 43 deletions(-) diff --git a/Solutions/SentinelOne/Package/3.0.3.zip b/Solutions/SentinelOne/Package/3.0.3.zip index 0e90aaa68ad527b156b13a1e9f5ef62d9a0afa88..b1134e93f9781097f20e3dc56dee14bf09682f84 100644 GIT binary patch delta 27927 zcmX_nV{jnRwskPE?POw3oQZ8a6Wg|vjy19EiEU17+qP|ebMJfa>#o}UqxbG!>zwMU z(`T)HcLO?o1B##^4gL)s1p42}8WkCb@B{9BR@3ZgLDNjukE&L*3=YvdDpCXFe-D?@ zgbz4;AZYIYrq}ZCACV zuF>Dz7w3F$CWki)WMuUTB&uX4DQC<_UdcWUKJiHYa4-QNk~$JwsVv2-Bz_=Z(BHuL zzae*hJ$;2t4|a(@B4lggZ2|dF864T7TbGx03>&2fT4+22zUz&?8KEs!P|Deu7l@u8 zdvbQmCl77}Ja++J!*0RFEK?B_AoCBfDe4JwrZ!fd?A?|b%83zSjpqwvsrb= z>Nh7eFoTLZWV&T?1!@9!K_)7wgw!}L`fq;q`k)tldH2ztXm5UVnmUQi&$@CrqNH^` z_d|c1q8Iw=AATsn)c4p1~wq2`keQV0={SYj7~ z?L$7JMUm(5TKDN?aF@UyE^MPeoQ3_dgTl{avRzECOeBzA61)k_!`Suueav#Y!|XpJFgp zpYKka?m_=j4TwZB9>>45wMq{dE7F@t4ZEmqBY$&1|EBjw0G#9{sGRU~wmQ0~E7rqU zKva^frW=XPZZ)eNYmy?3oo3J}Rt>dPnoqRI-TFwCSli6TWSn5zXv2~BnCO`D=SXTE zKMpfDr|cu+OcF>GNL%*9)Iv0o`nrlN?n~#Ehoi)20NF*u7xF4oP<*QHJ&Z4{jcKma zZ#amhT=gAJ{En3D4h44*~@PHz6Te1Ovz8&L9}Nw7wkoc}n3lWigOG-GxY(c@;^{?+qXW z3U8^%0aa7>JZ0L9hGaS~(y7}nG3_dea_f#pPLkQ)&w>b28B2PMj}G-Pe91=3sS+tl z>YjR25pKo!4Uue7S7fvB6Yox(TFjCBH3qZgkgDp%t#%7;`dVJ3jb}cKsYAIF^Npwo zG3mA2$orGGdu5m>T(I@*E@*HwTS{m5H={FJV3Jj4QG)x8ciY&>>@FG_;@uxxI3 zfFYX3I?X5JQ;qHQ!F~Q}^+BX-5sH_1;LYZac{K|zp;p$;jlRt1D)+H^U*Bh*kMY%- zmwG-K8clM%_EC;IM`T_m_Alh<37QA9U}4+dz_73+tT;<;<6tp%Dq0H$T5U})@-+r? zxB{gpO0^vd430tlQfQ=65qAZhAdAI3-~gXsH*dkgv+rYanh)D08tD;=;BC1lu&193ROS3@ayL21e z>nUMbCrSu0gfb=IBP1eJ_ZosA>1b|){#Dx527SdF3;k=)5ENz8%N?bvKY^?l2#g@% zp+nm-u>CSZH%MRT@$wo9h5DG(xA&gMiGD=n7T^0UahmTVHRHI9dK~%>psN1`)c1dY z`u+<@l4QM{s`u?5CcXbK+tFvle~ca?IJ0M^a6*XTTD;Nia^k_}2pxJ0eN(gB`j=|O zNJaz9|I2UWj%{cu4GwfpW82X88=q=EP8JK$<`tY|w-|1TrZISv|5PiP(7iq!8f(yIe z>HBR@o}E11D{eyKt@4kP+BzkR<=1hnIuB_v3y)t2VFCrw>d;VU&$YR`IRUQdv-$ra zx&J>T$Nz%_d1sFqh40_Mv7Vu55Wn&co!}D?A#nBa8Un2`h=X2PJw5j4_=uUCoBkSb zME@rHzcW6BMAo~|qAm~=L!=u-d(#jE{p9t>46pNak#VfO3vk{(Cm?hQn+W6An%W%8PB3vZizVJLBapSk*s|is{hx9!r0v zt&a&9r@M6lGMHg|eUpNAJm>IGuGK8P&m}BPkm4VKgcKd;X%HR=N6xCaHGbdu=LL1x zeqy5Ri`y&x3NKZP@@5I$J096O;^WY>PWQg`AM>oc4Nle=KK*orEj`(!p;I~E?5w-oDBtX4Jp)aX8Va28Eshz2 zGJabjauW-E^UB(pUd7YgEAZz%|8>48CO6Ewp%ok)vB6DuruzXJ-{fVX#%sM-GWYbq4AVT-xm4i_LYas+TNxzL{*4^RG|4GE8_{Uuk%W zyDt;N4e(j4-3T6;`$>X({p91oHF&%3E?e%5%A_-IYlelxXn*?038~EOU(No#&6&Mj zS0L2(50+lFA>7!Fj~m@DeS7zHJb(b7;2#+=1v}X%HG@3EC&FZxYC`lySB5c9b0R`Q z#3wFs(onjl$?X=SiWfsqlL6`|}@OW3HZRfc-KK zVeEjbyNIjc5R_3l3y1S--^ZSh;k?R1XH;%*`ekLW(7+`x{TZOkn_6_Co9@zKMzFf< zzy)QLLDvKY^%1>LpBcTuPxfjJR0He$75|8R*Z6PQf{kc(1)!W;+&dTm$_w?@Nk|x* zyaQebvD*B|y=c#Ij!&fFGe(Fo7}{9|whlj>f3i!%W8TiOLQ$46N8VHv*L=UIqHQ

4yQv1_RCXwav0c9Hxa~%AZCB3IM}_`)8|N|W zxHBgj;^PzMOX?NXQp(QB=7$rIyG^l#NYh&xbPZ@d{;~=n4UF}NmRd6ClAwPz5WvN3 zzm4Kek1fG{FdY?gt16TWvUMh9E_s4rf7&ktTzxcO(zNv`_U0XZh^bZ%3tq2g%O{dd zCyQy~Uqp!$I$uA{elj^#D@o2#!QNawoliYXto^y#rq(`NnDje$X|SZEt_%1aV`aC| zE(A(VG<@QapGQTXoe2ke=06bHWD+J=VN6hrEwHd5EICMyp z73_U`w6*^&92;cwtspf1QXu&V!VQI_oDE>28V2I9Wb*Hczm4Qu%+vMM%A8GU!!nSZrus^uV z83mn{<$D}i0nL4kW(KP(VPA|rkar+1kUgrE`1t)Kw7a0_(R|hDu zT`CG#_V41hC>~^2i##^@vAB=Cmim_pF>2~L|h zPN{{@r#_G2v)KPUKt_JsB3Tv3R3zCXIk_rB@fC8QEb?l`)<=3{fo- z9=+j_k9a@H@+p#S(?Z$jcUR!TS*j_btCsl~BVDu0)+EA?a-K!CC61^&(BX!6;&10q ziy0Sf!>Ed7i-1X|tD5;Tjmkb$uBpyGvNiKYLTMP@Cwl3q3Jl6Wxp%4D*8Zx2;OMzo zSMnp9nb^^b%y3}>)4p~2@ZFjXtedx#NAImim6PEvR;}4=j=a6$FjD{+9B0!mXGNTk zaNp1M;{fpBt^C>pQS}sghD1CTe7Oy(e30B$1Te$SZL0j%KDf3_P@jBnljB()!j;1u zCi@TAFI?~!q-$TQT%-Hw)s5#t7`0xq3R*(eq-vW z;KUV1LU^@vWbT2@lI;Nm&O(1O{Z3WKEmzhLSz!s@inGumVDvC!_1vj{X3m9Z54txc z{-BWkx(_K=rv1{~C7vTd+f0$UaeIdjh5LPI#*m05fLS?pu|CgTYrMv$<~7&ek5z zwJ(+r2nY0*Db%x#V`?a$ul{fEE@|ezw>EkoZFP)r`7Li!43YqJ2*S_942I*$D7)!! z7V?4N+>kmB`!*nup35xXkW46XlXpT;GmvNLE22VCU=_YU&?A#sh&unij~e?K`voXm48sCd`vd#betb^>O`^GT zre{X~D*%xi%2|JglG^ztcuT9m3q9_@E~9AJX4l1Me3t(>|LJcOgtTLyeIls(HaScxNMFDFiHoo$}zg!G4yp^UZCd1;t~+64L(ZVB?Hb|(yv?OAvu z*q4-l={mryC?zkmhF#HKH*UzD^vdZC-?=Ntun3m#TJuA^ry8O#oiJbI6q6wC6awPz zI-S3E6b=#39dzcy_@D^x>F)f6BUQ$E5?;!828ZVjw~fT-;W=XV-Is7kP>~XkEn;y} z*Ba?etT_F{{eCgxB4f<2&UP7p-%^pUq*F12HUe`u^S-YT1nO{ce*`UI^0j- zvFi$|M>rXpzq#lkc$c}9Du<6X^*+6MmNo}|+#N_eZdM(N4VBh_GJ8sz=x(xe%2-m5 z-O2qz{*LOTID^n@pjW|Q*GA<#W0D$(=@K)j2zPSEEKj}wiV5+E z&<|6={b2h`t|hUHxWko`&o!gA2JbbkM8CqEmgYZMx{JObjN{wz)3#VfU!I~ zZ(oyHZMY?-?cw<9Ob#YmdmD&&bNFTkW*`tLdhKDT(Id}6?W zqe8Y+fwB!M-Mitk4STP9Uy@iXxdt)KhYpY^5E##WP>+c`a@nhN%CA(sN4wP2-fn$4}oMJdW)LgfK0+O*`p~wC}_e z_?7MSgSHjNMPgNc-gl@&vTYHX#+<-p*)g)cUD?`SXIzc04Bf`o>bH*}kIJ*Bp_n7H zQs4cyLI;Q7`cA0X9||rTM$q)LNvWi?Rn6C|WF`jR5@z6TB1OT-``AeWPx>m^c}ndl zzv(P*Gb1jrG32kiyO&_ZF6d%83El^?xpcnadcZBO1n>*a_@M7m~2L2+- zW4?gKnQNXPj!A6+9@Z?GxsU8%5fCGSAc zJ~1D)0TV2<1u2)MOjZdkD=9miKEcz>H#R-Qlsl6${?Rs=HgzgEKBaZ+=Q#xLE%0Ni z&%k8QP?9z$1545eq-^o0p#~t?ktxoyLhRw&VFLiAe5g#n)Pu&r+iFs_pyF+3p7S<eJdi9R{Ed5eE80io&+k7LEX$xOM%eHt9f8**xa7o>p> zfkbD7>R2^n5PypIYCH<~tGk-~6{7OwK&;|(feJq%h-iTnv90z?`I*ZnSEg<`on?X9 z6^CijT>8|Awc#BG5$|cxV1e(#NX?-Ews8@X1ud`IhgRN9E#b|b(vMQ$jHe|ZgS8L7 z^Wj{6|844l(KW=#u%1k~|17CGY^mA8jCNbtM*U3ZCiR55ToE6bVu(H9xaZ1>OjkY-ik01haF_9AzA)o%$;JoeZ z`e-9{6M|?k|E@DapWNVs!#K8NN0T}?%C!#%~XDU60vpws{Q z+xi0y|gVwq~!Zo$TuI%0*Iwg{Y16uC;D?9L-9RH&{FnTx-hk+bL)K)8WL)&T8!r zt{9HJw3%;32Jx6kj`7F>&C=!9fSGXuESCP6BP4pCc~rlaQibk*ScDZMavzk|J=z?F zVPy%{a1{~lgf;nTaBWU`=(7lH`}}gaaOIOlz%l6)r$uk2XuGhIc9a!MnGbhIj{na% z*O`ebq}xv*i!UO*p>&dE`))<`+LgIdIaDb_c~#tRjyNk$X}|t8vL13LVzmNO-C9np z2dsQ!^$B^z)2!B&rvQ%XVO9S<>K>9Tc1@S3Ox%Ys$H;J%H}i(>v>Iu*FvjVx3+4Gi zT!<`#E^m6o>zURXUVwVKW^c|zWffHGy-Ln8+pr{{yn7@@6i%(Wl2(PNZUAXEQ**my z%Gmbvk@TIV>duw8`Wqn%;3tf>9CiIGcFW*gMf*rito!(F1`~kXEXG)J-Gt8*vdZ>r zh(2enaGB@udwy!g(7gY-V?~sid&Z(favyD!Y>^fA3wBCl=spe9y|j&bv8p}pwuoQ$s0w11=eqWrPyMQ(U+(KGPm3h5IGh1F z8;WZMAuE}6?mz1JV(8Kh$&Ay9>^0xAtw;n|LMZpOhT@@)BFk6AZi31BiT0AQ<__wx z^jG#6?9I`aw*C}}u)uhQe-b{ye1vY9{sH4Is->3EUWp-R4~`EPm4KnC=C!eUf94$| zY{;|Ah4ao?T1a{yRTzk?8{-i>Cbnqg$u9p@;~DQ3<;JOD^WfRUyw}XCGE_E=Gc6BH zN$!`OIj`bqIaROT^rlb4`8kpP{gt0o5H`SN`SI=7QPL)yDZ}Z!>vQ)dp|m)1L)&XK zVc2pD#)<}a_aLqK$=*R@9u7i&L1Qm--T_c4`{?J+VjZbdyl zv~y$?d$X814JHL_M^XdtJy%VRAGsY;bw7tTdqm`L&~| zM(8odxEw;L2sNwi;1G&)GGsi2?Vtbtg2e#wI73uZP&`PVIrurex6FNvAtiH7;2a-w zBg$+}0$fZF&mSpdLX52n{^Dr^&|k>FWG`}mYim=)XCf^&1k$tBMoFmY3>OfH&^o}p z5UsSE>|+5v)=*inw&;_y;=z6e_e+QY-#z#7pi%y9Q^kcMtqAf9@zTHE05Rya3ek8^LpiyeqJ^t=; zoA&xt=X#;pls)npq9*foEBxxWTB%l8SzE{J;mMxZljaH+n1?MMJ;AFaJ4<>`r?h_E zeq>3n&<;CPao;q}CZ@=#ze2r&7AHJBlAdK@kWHW_=bwbHm;S7bm)GN*R86EnNpD>W z@VCDtRmlc)Q<{jsJfJ#(86I(I<}=+=h!HG?Hl-CT{_mjK5`TzxkR*#UrLLUnBxB#n zr09K4;%WT$QxtE^Rpv9s3xYI6<9%vk%@c@Z7+&KX2bVs>C={~0!Gm+XR|SdokM<;@ z$DJI5x$c-fR^adDZv(0LA6=JdKf|yjqF=i)lW-nLCE)flMxoyT<@-&#lg>1Cv$`u% zax1w<76t}4jmM}wf_p9x|4_1`she2W;;RLLz&X9bwZbL6x&q2BIN`xdkuOJB=OR9c z!We#DA<>vGSrG~k{XNy!Wk|e``-|V!T6I^3*1t5{;x|)AI+>);jy8z-^#m|q&MyG< zoq9ce`}&lFlka8#Kg#A#H0L$KSB81TeX?s=*M>?SQQf_61Jh z$t|BJrDuWt@mTsL35znsAxeL*RAyIK$-oLEIduaAgKBa z1L70&#Zw+&4YaZ&*Nt0S+vxBA4(3wo8Pq$k+T}0X{ae|{?`xt_1+oIYjpicnU4px(sz^(cX+dAo6M{cILSNo-@FIqCUUrQW7WNgO3DVxPYb;SAdi zh&|ic5^!Qknp!+TvS*gJ@vH8akw={Bp_li)Zj4~CV$zwP%?j}yvZs-Qor~sL>H+7! zzAG&hx>Hnz$U7o=@)Kep;^)OEg~D5L`}R0+AFJk4JfyR>#+CFYRekOB5cNpu-ckepOzNCj6qZgI69wvpCoV!IYqqS#X1pxgb< zMaD!}FM5D@tZ5;pC{w4s2hve0Gaw>XMlJz&Y%}%^V&UePW<@{nKt8NNJOnKDkF7Kp z7#D%7iErZNUzyIFk(879{@X>2ESeS67j!M)CBL?2HgioQN{wFOXogzD{L8?jYW~gf zOOzFXxz*^jZt&0bc$8_j%T%LHIAfh+w(8EF_hZaXQ-l|KxN^FpN@6g=sEFd|ga)Z{ zz>Ox~x}_RT>h5%`ZGV4^h+*wrCs+;EaAiCWM}mbT<}2YO(4kd9#3h~Lq!j`z zjkSfyVcA}11tq+w=(L!?P#6j^iL(KwsNUTybwiaETI!EBpd1*`TA9YVZBr5X#@eYb zR`dQZ6{cEZG*lUEv%|?q#n_-2@bq|*GQNT$pi*Pz!z)f7Dy5;h=;xX;uZwaR10FQi z)D`OaTONZpBl9%z=%yhyM+(_WKl*_BTNtD_%G)?1W{W>-E0i8zrJ0Kf!uu`cFD)*qX*Kjvf%q88)eF6QZU#9-FNOk_td2{npjd*R#KsD=mf=s zg-LG7SvDGI7qN9|m)Ck%*>KihVz|x{34Mw;URK>q{iXGw{EfWouqYD@tegP$^cYlL z!VB9=WUsh;)U?Q%#iGon*3SA?yxTyZCQ=1QGt|6t3lu|@%{Ii5nzzNqzVEPu4o{h> zBncTDs|)Ok6d1D^5{3<5w7S}@l$>nbL0JoBnb z6#0p(N=xHX-{e|^L+LNWFtOL*?^qVsTk+iJV=QDgl~%iAKCM(v1^L%yuMyf=DSS6- zAIYi%%?xSHmM>?vV@^dvXlw}SFKrT*T$mxJI@!XAdGp<=yQQNuslCTLwD2l-!f2@6 zJQWrwqx$k}4ixC%CAL6F2PTA~ZYU~)7ls45>ns+EvZ!uC88GTP6cKv!l$t%yDi7l>7{8+9 zanI33M*oF9PT}WxuCPiNK-3@LhE9uEnohm(dKhjEheZdgB zx~5EO(>SX9WBaJ^`A0aGt+mf1Fu6m6yLOSjvujzq|WVa62k&Oy^4QRST1!*sQ|RVL;lXhOgk2rJw7UfBrb{?t-f z?w)>-<4~&!6I6zBU_Ugjlg#Vb@1%yZZ6hJo_*Yu3Sayp7dfB+WI$a@stE^m7ys^kp zqr4_P>J?gJ5BghRxEB{sQ>QAWp0TTs@Cuq%vy5CwT*l59rDvuAOk4_gbi#}z?jbw0 zQIxaY9-+9qB{+A~MzlRyXy&2>=OzIxYHeq*e|xI#WIitgEUzZ$DC*Ce9=9 zykSfDwnd`=LbWed9KzbjbEE{Rvt=-L9~b%!=*32%8)#cL812v2%yf8Io%vSN5SXST z1zLC|s@)Avry4*~QztrnrQ2gd3+)`b%$JlT>g!iRPz04{-Ay@nNSUn0;wM;qx4?_E z1e>~$lF9%S+riv*G~2SoYgnucj<2Ka=^MC`dk+_|jX*eGhbhyYBQI_ofFdWyz&8t$ z&Q=rqZLh+@J{}||iYCIEZszbvqs|KdPK<|^K>!1}1Q0AA+n2&@=(tc#F&~{Vv(oMF zUoYP&6aPtJdq*-HaQpK{XgW}bO1_z;af>Pxdw^{u--%uwKp_3))2Kj@|BR5W!npsuxcV>*|*x zoaB~6t4l%6!p_6Bb2dH9nP4dVvgh2>U4J2GyX{+h1{O6J0=^^UoIJv4RwxFAHBygh zHyB&&kMZ(m;>VI1sfugdooghg>QnB&Q>CTO#>igx&z`v@Md!m^(hLDILgE98|G z(Jay=-)(-z=m6L67JuTz-P81 zTrw)8dXu>hV~Tif&7yF*{cLud_OKy=3Hew4 z;{pex)sK|&4!Pt=?lu^(hB0?O@4j*hkf6!>;q4iBkN;A9!86%eI{KvSATv<9Y5%a{4enplzN!ofU9MmIcn|jQxaUFvzv)FC@ zW6w+Ip0GboY=B(NMdw2)CU66{Lux!MEm~xM3lf_H*j*_Ia7H zY(yY<45=dK_>js#nfo8ynUMib?EqMX*?Y3q-^bE48nec8yy<8I2-#3CB**C5vLJ(U z#-KXxYVcGRSXo1UVj`L4Tt_Btc=3la+7;~pyYIaQskAJSEL5c_j+GCXgYmKG)F56dftEH@DxN*ue z|C|HMo#ZxQ&oU-H!d@}XD1ZE^Zo~8ak|*81pA!Ivohl<)k<9{?_p z9&0Z4;*IPh9>VZnYe3xX6_O!?Y_aj!H6CrCZeHobnOf1as}QepFy4z`WO4m-w&|9x zJK&53kE>LwEb?+RODr0Cqsm1_{iV$%qS>Bu7MIxVbP`X3wJwz)mIy==DCGvfKqiQ( zaFct{8ZN7=qSpz~{l^)g@<)ry_J>_`>y^Yq^37An$(ymqP#l75R}9&G5-j_FECF=? zV+oL(f*lIEPc1G&tYbs>tw6V#0XQ>`J9JDfK1XAt5!aG3h6tppuB(~uOlt7kw7w|e z)8DD6JG1Gt!_QAgZXX@edr`lN%_Ex>{&@jlS41YTM0qpz8#76e(xSNas~Dkj3CT5< ze~@G`)&M2~k11d;{%*RxtrNEOyBg&G{&kJ)^=6;cz))eoOHbLtUZ=hC0uUDd>w3fd z{rYX33G(Qmv?D7S5!fgM_rf3oSh7j2ppoR*{#_*;-}23n3fJ0?0Vt<$Da#`Bz%mD;y$5UtgL&r4bRrSQOLwwOTbncoB;hb2q0pGB!R8fEuMD1JzyApT%KwD_gihvdopm@Z`kRvsyF#J& z$w&4rZ-XWHf1edn4ha%NG52x4)6aV`5|QxrIs8JlVW*Gk?O5r5ihr;X{eKnzaD*NK zTrgykQ$sN?Qw8Z5B%1pt#5&%kPuP=`aamdty*$OhOTr&nvVdTX?JYB??7RERYahAf ziKASIV-^XDPHY*=06pk<v1T=IShI43)2w!8@zHVQbr z2URzJAiW=r8E`L&@!e!Y==UPSKvI9gvfQ$ATwMhhV-}?ya(VY4yZ?|4c3#F!H9E&| zsR=0o(}rP0oR5(rhVx(+{mQ&UltTEwVH zP|4;vj3|0@`GTQcede1;dR7=^o;6gun=ELT8wlL3DPWId+C|P5l7OM8scQM~j~z zoD3jL^uR)=^uCAEOoF%}g9AhS;h%MxI_VaeUTv1S5>ih}aGpkOh9$CBRaZ?#nmx1g zgGLl5dNNM7=C8SQ&f2fx%=RO1ng}2AZrqe#UUDp6$#%PgJ;>~6Z%v1Y(;=N8H4X8( z;jhUVB#iP4r9ITJFsPQ~aGn^uHoq%CX-i}#?*I%6Ox%`HtdsLjIlGdj6)Vl4$W7CH z4@UX=PTd({S>4~sk5-1gxSdb+U@y?gNINdW@0atc!fL) zA^@;2h6uv_i=WRKYN{f^t`4WfDfFWq+%8Zp_t^{l91*sz;bSGp2}9R|^AB740O}Tq zYZVnehLrrbW~IJ+CxvQ-B-7-EzFOf<(!44HE|Ki0^dqJ?-wW>gZj)&Qw|X>5D#d+x;3-Ct#@t4$MR+VT0`#PLXwZIyu!!mYRh|yvIaT zJU|2D%UsWv&=6p$t(1YuDnZ8%*DA{MoE_)XRGD?Q@D$m)qdT_Al&9$_`+;&rjR&-y2PwVP(x?)TwPr{WjJ0KX_$pj~fd1tykZb^#ZWU*Ml(Jvm0g(T& zjx_jfX&dEHo^GcR{KHDA#P}?IU&|RT!#+nV`FBd=Dl5}!VnsV#4QcP$Jj;E0j)?Xg z77;2vJ?|)5cAC!yE;t#ED-5yM2EP>K_ze>$GrG`2w6y2QDp2R%m5%u| z$T%E{@f(Ur*?L4X@`2QBg^BY|wZe7v@Vos%@*nI@)$m6wtAt=sxFn}yMUw6H@p&^G zIA}yQNfR5~JOOXgB16`jh;2R!Y${uYs{`vO+gLY)S#3944D>x6mnZd#SilYte}cQ7 z^=7A&di(a8nVYj^IGdw#=m9*@t0lP=ZA-&#oM=sEoIaAVwW%0Y%R%e9Xz1Sx)m)|4Ldxv{SNL^yC&YhA7#dN z(V_01*C}Zwx4FA_{0*#aYk&jvr=D<|J&o}u1Id~M9T15~?LHij&^EZa6YDAQMVio! z{`c(e!%4CiIt}v}w|+jT=D>ixc?5|rXQ1Haty8y}OpAopaMJ7heTY!n>le|iEEcA! zD&E)P9|RLQ3BC~*E+o>qF-aJl5-k<0daxu6F;>!|))h$8#Q<}|9w0%Z@WlD3P`dKr zpnfp$Dc)|S@i#2Xr8aJ>Bv9(4Xmge zla>BARGL#y44gHNX-c8`FDi}JKV#GV5wxP}BohwbxUnVvLuo}-3u=wiFZv)_UH*whGXId`bvXSbrTQzv!kqtizux)ZzyXt$4VPBVLeL>#=~E36E(w5$Z@3JA=WUBJnNF<-Er&Lk~Eb|b3<`|Cbj5#^fW2`rr`y&N=1`& z3v1_lr7COZai!^M*^)JlN+JFy5av{peF5HSpo)DMB>AU$m>P_%W$xCO5WyloJa({B z@PaM{-=AqD^d=b*pi_MGihOornmb1SE!i>|R^s0&uWTN3y~p419SnrOhj`&IdBY;z zz@Y4oyrhIDVm(I?erg^dRK35ChQYBaHiOfpV}vgbpom{k4Fjd>&3diR?X z`!==U*$?SBiEV|~1z?W8+zmG8ux~;zK{B_0*k0WYP97no$dreX`H|`wK#= z$I9H>{q?^_?Ix}x2?EHalCXDl?!$+y3>$n72=Ts<_iTx+W|Z@C;4A2b+J`KCTb|3| zASNM}ZW{PZYGNeOjBq20N|(bM!vkY#Ed3|%xNbub%Oduwtiy%Y6i4176^@Kp&&p)8 zAySQ#v!@4QHpSyW%hrzMW6U|@{^sV6dB#Rd0}r9zewJSfw=+NSG1;A43~W3bXg=b8(-A2DjO zB6C@j#r#2Ze>c*&9gNDl<{G5kcH51Xn%+4iH{TNEqQXdwF$F9|H_%ZZ5{&L!GN)E} zG6gd?VLK9W<5Gu$oA>6eOFcnt zkXqqL7aAoF`Sr_>ww zr|u0srXj20PkggwhduNl&e^HDw8 z5b-G#pP-)2#}I{gx8i-;`|qahuF0#9tWN%&YTJdJwG8esDtb$-P9z-;vFlAC^J$pl z0c&ZX-ZPC&Vl>eb)D*8PKC*-i@Lv!qVAN$+KZcpyoj24pKG|Sl=p@F0r|2}Cy5u0^ zeNidTtEfo&p1Zb!FV^}2J_7^OCkNpV8B8YYzk|$q%!!re%X=e8*VT&3%__G~yB2Ys z+{3smI9pASsIlgT3>WqyMY&VQ_{i3q`ga|8{dN#1MBt5f#HF!=+fHbOPS^Gtl_{tT z<#KWVTP9MWiL4vuTgcA>*t9)3*|+4AzDxEmtBg<4!MM#z8dc{y$hVP+QwGJ-VH_wH zlFnE#&O5x`3Ra!Cb>w0)AtUJZkM$r)Y$PxxnazNI>pC#ycesFH5TM-ijB^JN*(SvmD6gHeulV|1Cock)$$6k(^n|3{n z3CEF^DR5?n>(8r?LlV7xDP&J*L|P^*g?K+``pFIwm2z);&vu*Kt^mtqvRjYh2osaU zHe8u<#|>pNyU|mKpVOLA^x>cGGHe^3s`@?ILRI#ZCR05An|^L`bl^(zj;F`Kx7%s5 z*c$AB*gy!9b&1IpP6tQpAK@9-{(18)aBvfJ(H)ew-Yi6lDM|fFMo(leALr1`(b3;A zE}}d18@L-uX06tz$ZuYb>-s+V!*%C9jYg|Qb(NdtX!id)@?P3zF7~S>NM6duXAY|+*15wb3zsLV>94|B z<=d|;u1Dnc)SK?w$On&-Cs0e_u0mVY69K1Zynq$4P*FNy6-I7 zlL|*!WYJ5-b}~;aWK8@3np@R9=YyLxGiC4%MEcZmZ_$G>`lN##A0F6rJL z%_<)oa5~@%k*%(6w23HRfJ8f#3+)^mw+y~EaOqho_ z)YAtJE5x9Bl*JDaV~h{(Cpye_vq*^J>0_$RD)2^3e}&vKoQf@?^gaQLy{|kQdf)qV zox~%Jfz1$-=;#qKZW2USCel#g1mIJRl-ddW^mmP2o#J9u%p1bZc}uR|E@;Wmy6@13 z#O1P-IV{Zh0oHr9?-r7TAax6IBe{phqse6Vsn~&iCRrQVG zk!(@Bv6G2CaVEBH+qP|^bEt`ZEf=E2C z_@*#@6$?!_-+KyMb8o4z0*}_8IzY{+UO&<9#WRRIVGjX0cc7Qo!|gbPX+QKk3b0eS zeGkK22>}cc7gN#Ow)U6e9INHJr*u%G%TId)Qx0SMU|yP4a7qW;>{y_hq_zS4XgcdYikMc0lGE4-u=F4))Xw_7hms1*E8kX4>Q%j-)U z+YeRjwGaRojXH0%0e&F`TE4)n)_z;5SO7_St*AoTS)&l(U6A{0=C*5ve^og~HsS<= z{HvY8?U-EaD1W6`SX6ESeBiv5vSk~itZPCbcD2sDLBe9FDqUVrT9+6@FRq)4>TBKu zXW7>JR*UY@$sMB)l@p=GwmWJ^1?y$LxFo4bAlS6{@@XD+E&T-dO}`k;udmf!-=r%x z0ZTB%x#j4Max48FpL?k}sn~LP0h-roN0+^KzrI{7#9mf4L14bl(@N*_TaCg)xi;>C zC(?QcXlmbk2`hv$fV8E?-bp zqmougmKff9YA-ohM(q5uGsl@irxn8P$1lHiLoS;fNyXn1^zbLnIaKZ>k~x!Eq&`=n zLt1vGQ2QC&O8?AWC82Cl>lj!1R)+^CUs~Tuow&cO=ObJv-9IS(0`CU{EcxjPrj*1c ze>AYGBw=$NnwlV@Z2IU=visd`YFZNXN2Dvbx_q!tMt5ffa|qt4Y52X0Yw1%SE={S+ z%%v9AxK$TdMIB>mW}>6AjEwPrPu8tSm-}6=%4eBa*M&hp1`5Y1pxx6!+(R%v5m8@w z{_9S4;Jih1i>f`lo+(ovP$k?Wz>b;FIyRhs?8|b1jAwQiH3!G12Xk+h@ZF_Hlhz?4 z8nv*}ai%&i>)B?mGV8C=hMApTi)juXaCgwXzW-}=3-dlyeCW{hpd-grMt1d6i(FL~ zTyD7pBAu==$4lzsP$k=SuS%oc_sUk5wIZRtAy}Pd&G%b1-T9pzpqAZ9{AqH<>w&r$ z_l-F}i?CL5UGa=nT#-?$aH>VSld|M(MU=>8<8KAz@JuUhuf@872A!sEyyrW6dTcms-t%5rsE2EE;gi(MRQ#-*;b`(8Dx^tyK@+##7$hJCM#RJxqIlXVB=>;c+_16#ia z$95P(JDq2WjltiLN-{7ryd0TQyqk9oJ)dAxnj8fw_B~u40B5*sHl8$|vtNc#aOgsb zE=HGPBi-y8b9!{UG;u=fVVI~~q{;LnFORHKhmc0ohVG{S5jzep%ZRzoX_h_)&qWur zvCoA~ph@JqUj4>Q@v&`~;-=FPH_0XsjV-SGUOg?|Iht+q9rT1>hfL2WjDmHSa7HRy z1ClRK1|2&oAotI>;Cbt_#B9)~5Ngo1+GEQ2NX!q4CnxH$41CvKV-B~PO{ULeSHiA@ z9Q*T~=IiMTU#8Q1JL<8+(h|##CxF;~fa_OESO@|#BQA6NpL*_mvP0LL4AV`patPA# z1y%XoJKuwypZG2v;6C8_yz=?QDFnmV$770N>B68A0Myld28DSj6{DC?Y#B_oED+50 zg@n$4e8-5=eK?oYAYUO3iV1FmU|*&0l!>It5*I0Crl-!J@0Re#Je7HgXtUwIRIn@) zSc!jru#$5Xm{PU~1`bJ)7>GlaH6@I8u_6?ZUenk~aiX&&nQW)DsO}yq5mn=VGT%{U z39+)m0gB1pu$bgnWAd$J%<-iWAkd4d1CW-7#YC~AN{ZuLl$ekgh&*2NRp)pX>kb9^ zNt*}Kt4G13n;OCmLAfxvS(RC-tpaIrWiXG|(EV6bQf@}UsI}4>(lY$l&-!FZzk^y} z#z~=(CB!bNNq;Tx;cvI8!!iI0OX3v-_>M@_u5T~3P760FD%X}0{3ub zQfP0Xb|$^WtbX&+;b$3evaO~380oHO#jNkkZq6p+3B%?li8RN#uLTK5NyL#Mq&6XvXC!3GYBk+U)x z4p?nWgCOf19#2m7-9kWTChGM!88q@=4Ew>5{SO;8o^=T<9azXXJ~FkEkA>H*GV`XUtlg!#OJw$Y*HG_4YsSR ztRl&swUj)SrFR&4wYHm%oi|w}Igz~C!!TfxMaRzQVO3p$4A7QIk&<;~Eh%Zy`x3OaXCPU6Fv4<}yr%b>-VX1?t*kd6=Z7qRmxEPaH>}k{X}ztqDnaT`FyZKL;~ zW!FlR2L8UyDYC^&hwuqkZ;7GvQY{VD3#etpDMi5bw=s-3zsI}b1|*2E0r5^%C#Es1 z)Gh?pVitawi~%nWi0>%bjl%w}ET3?=@3J=*bEuNKxc3L-vCt|`e8`ksqWf^CHMILu z$9xpGL&{IEh=^;g!akfSH?@Gd+(asRY%gYQ{ArN<8@zA0JlfB8$C1ZBDZvG;XcjWg z%NfE)qD(G{xZ&kFBP=f%PpJzy`r5Fh^h>QZV8DZtIv0#Gd~pcTyW1E!(1Y7x2$Ox4 zsuLo}F&NOm!Jg$ zpT$Uw7}*A@v9X+n^!z&aYH>E6P-ZkpSw1AtHFBhkwhkWT&~f-f<=+0PBxT$|X-c)$ z_sSr$GUeQ*zf2@!kX#hX#6u33l{E8+d0UMY$=LnLNp@+eJiAS zuHN&HpN1@gJ}B=&=2QUjNZvH{Q!{?i&^^gk&)hiMKMR-1rAQ%9V9nW>rThnBP0fVH zTFvAJl5!+Z!3cVqr1ClL^SL0uZ>QM9d@24DF^z3Y{^pnA!_R2*A+aHeQ z@u{V`MOWq}A@9!0X)#%SYADituG2s{AURk8@TN8eIZTeGDh zT=aRl`HI^-)t5A!sVKsp}OQr+d9vdhnkEttG7*D2lD-* zfsXJ&Bhk4$vB3F{=5;tSWFi*rCJqPbAsG(UOJip zEV2!XR;N5>af*uJEq98T-{8k0_hPb3Jc|l>aD-cOR+kwdVYvb0TUPU$s&*)LTT+@0 zpm5+3cvpI))c=(WyalJT~xTPN%4hd_qrk z37XXZRzQzvFkw)INJ9gD=Zz<^+hxW<3 zO&r_-&u)p5R~4D#M7j=%XZODbtADSko67Loy390(`Khg$i^(hKYP%60;FO=2IXCLg zRBm`$(jHAwjBluzq+qSShUy?M<|uUT#UWl)MVdC?P5bv^#^R)9ktWYph!kdJanfW= z`^iNt=>5{jzn62yN$NG%y^n$|zsm8#ir?Y^6#aF_c*J<2Z7(n69yD{G+ny*{vo*bi z;b@u~HTB4Tskl!(=Sq3YTA{_Us1>!|uhmYUx1%-9X^7E*-8}c8JE)peFEKr>P*Y@_ zY(avKOC(>RuIXk*QVZ=-b=LkJwVfmN!f>R8G4LlET}{aEmnn|QZvs$;@xu5muMGE8 z02c*mGe_Hz;)s&uj7U*559r7Emj+_2G0ZBpah>j%k~e#k)}o{qxSq4E9BaJys(?s% zJDIhD6s3$hUm8o3QwKtZrgOWbvz@3W0ZPj7KGSG08-zT!$E#Ss5n_LD!aZDmx+LOD zK(av!jC;~AzYf{FdfUDdIg{1;?@d(GfTqyB@>3D3Vw9H%kxI-Vb>@&}9ZFX$3N=*I zX7Br@h#k!hqRLsKF>Abr#;~|-cq@1|Zwq}bT7r8y!p1}fn)(L}hxAuti(ZKoiiUmL znE|<1=r-yvX6QC#TB(2Qh?yap4r3i-s&D=nI=FPGh)jhccx_78RNkx=C@2RI&lrWS zMpTA4>hc?xGu4!`>+UkMn9pB_Cl8Xe>>#ro7ZFb*-&G*~Tn!UR!nPbFmX=V+_+!U8 z#ExIUtpD$kM9yZAc;V{5G2-ffMQsO(f!bcmcu4USz>^Kfa63-X;Gw1+WS87%HsFEf z*T3=rV?3n#|EtlE#EuWVW-@C;{3-d>yn~FEF(K7OyeED5cAfQ6C>;H=8zp&RUfabNGtp0WUAB^^+|M3VEUjS+S7atU$@ZaeFL$gG; z@qbcnzjX(ItVHntO>!XWf4vNmi2$P|`_DE|Z};Nol*+%+jeV-Y1Y5!Y z$`F0ZAf75v59g5oDn=wen0@qnM+{)lBbPY79P`9-)#Ov<>so4hPl25mS@W>L zJ4AHMOSk_0{&iHg&wU)(yZ=KqVUiyIjpS{53%H7;O+gmH02)C8|E z?r?cFG&efFsg~T3->bk|=41k_&T(}3VcU=Q&Ol&V+2`Djf()Pm;#HpN#aE* z@Hoa+*6|S=CVEUA%LFi)0inZuaAD8!A^K#xK?VEL1=Z~x3iZ<}0|adTpO;=u9PGsL zKIe&gH!tTQ_Y77fFX-CtT@Qqr6jg%)fS4A3fV=SW(#h+Bmd_^BU@lm$AmUEy!2_^axm@iNHR2zVBu3lm?%!u(2 zlOeGoV^tF7BV(7{veJT*P9W`YeO?9qH5!dkESCb6oeO;bRmhpvQ$nE_Lj1yukZrK9 z0{Q)-Dqm&yXWaQmy~AR=lhg9oc-BLZG~4tFVUE?E7~nk$lKDeawU!@^X;C(3sjV>1D2O)Ymq&~m{Ra&KP9bx z4xO$$ZjkCcYvhRvvqo!TRlrWsUNOP3PIP}uGwv|K1M^k(Me?z$j4oruozN`FdA|9f zh{G7<24H7W$uZ-{;Z7GT$%><*_Z82JMV$Ugkh8slQeT%Au3Am7!NJPg&s zKrdZ){l4i#nr@Asw=F$Iw0M+!xdUhwFl*jQ0Ng#*CI$3e`c`e^77ov(?{TV{$;9_1 z1)$dVnjlP`W{}{Zbk4BTBO5&-K%Si`By54;`PwenCrSWbk`Rudpuyy%|C$YzAQ>TC zkgr=FWqti514k%z0ohccfmm*!p9zy8kV=*476?@!e3{Y?#{df(O5O^UVWXHo3;98i zl(!X(`JvDAia5G?i)PM%`>75YhlSq-0eJQ?TsotE8yWvf+PUh)J8x9UHwyA1U0yg=Na>{6Tl%J*4kI zy))Ky&-RM+K(2d7F%S)=Q&F@MtB)Hvg4u05KZ$yOixAu2e)mv~QB9b1&Znh_3OKw8 z>MP=Yun}I(%fK}8VT_V%P7cqWLmpw*L@`-x@->UHV>&A*h^j7lm>6%t)`_fd#@^T) zTCK27Y&Nouw3kciTbJb}CxePKv5Q>L4W{;^*WA#D{oS%+Y-cmN4pQ|JC`)UOFH+lU z+a{MRr0;k|-e>0{j#1m-koBcN2(S;nG?j^#D}@MZ-Bk>?JO68JK@}$_(?G0xk>^21 zY`9w=90efBd}Y1Raa2C{zw2!o|LWlH%-7j%9jD3_W3u)4OKub4Nv--DIEzoj@Rf~x zrA}G_e!k$XT~#xD$|^<}TDrrX-|^`LzkKr9thk95cB;w~xr&V_e$+EuKsxF&%Y@ zYR2f!7)ST=jh0Owxc|_t;W!qe2Hb1hx!OPW(3J&ftZDFIb=JW{B)L8hp~`nj3GP3d zSL{D`IlU}Oecg==64^P_@69x~SVuOSeRZ=|RX;@TiLOs}R6gPQv3a2QD$f@k^0O@H zZvUvCn}TOotem&O)$=^XKDC`+f)-Ix8%)CvMa(ZB#F$r=159d&t6;Gtp9!hZ*sF1_ zVanOfFJa30Wm#IQ*)`C!Hv8&yKx9}OlMplM;>+nJ9pbtkxd^E|$;>T%V9M!nWW2s= zY-EDZQpDUXIH{_=d-i{%1{7Z6Ew@kfIGqZ3;bY`f_8If{-K9^0men?roeIgj@dwp0 z>+9tF90L)V28aS|f4tk;Gk{f{jxhvPwai(5OVn6lMU`V4=9*2a1VXvk+#gYoJQP6f&Sj@=B5S_zcb>zLLH z5TuVDlMvZI^}!c(R(s7n%hH9khc}g6^|y$)ju@ra$w4=A?T_tkeeQF@id5h0yKMW z?G3#FdFHm`htVP{v+e(b9u*Zja?k&t*>vkm-?n80d+D*d>wh)^T!DFT_YTcW{3^C@ zf_^f9p7F3+J16_?6#;HF3ERe{h|4x%*3h3dC$uj0grm@`pjPnCoB!I8)=Yz&j-i>sIUtV_pElh-wBgi0S1fHNx63SLK3Oa5jLE1K*W8ohKaM%?qL>eNuyK!Ca6A- zd0?s&Pz5=r9dPahW~$aa-T}hA_-O)bJGFElGBm%tx>~@xlE;(_&+e`p6#cz*Rg-Qt z4R4-rXA){ub!QJU)&LB^>29mK16+T9eO2`_@e`*=jB*B!Y}a>V5+pV@U#Gp-hK^Dz z+3nP068Pj_r&+(nx%Cozo_mUU$}Zj}@6-=h<$G_}NBpLw*cdRO5#1{Bhky`QVUGFQgynTlN2*v);3KPl)Q6Y!dHtN1ZxW2eKXte8Yngh&N2m2IK?d9mqlCpKc(yFiBn zN*cZXc;7Tz{@D}Rlb4zmRBMLdUftRPG&rs=-tR3YSPG3{hWI)nE3={X3tGd4oY%q$ zpW^m%!?XkPE;P|#w3hvkLUfQDAc=L5Z{vgFlG!FY1jkN0o6Hm?(0Hi$R}H}2bkk0? zT~8K8zdIZ<{z3B&jlPrAOzJ%p9L03e4J}G_l`I^oxO$Q##MA`bB{;%ZwUvB0Rnw>maE8}b!76^4 z!{)_GbKC}FPpA8yU05eD!(zKrz;{)iDdQY(Y(iQTP?}GwFcaHON{~j40av;4^@G=A zJCe1bsoQbUk*!}T;#Z3>?~iko+V&U=Ie8rm>+#p{BVgOh;Me8Jl-#6)#u zqULZ(9bvu_hK$nvy}dB5?S~66>-d3mU$?kR6oYK9g_803*a|E}pPs%DX&=-X9(%nR zZL>wx(3)rlHw+r#z<8TRd;QyE1*9Nc9X=0G-85YMWS(j-1UH_{KHxgq5-NfjBvO?8 ztS=-|fk&SHKy0IMjMZoJ;$pqyumV|XiWmiFI01g$LxkIid}B;2o)RdQmsT8&C*J~T ztW8t`X-oi)+}OpeWQ3hauQeR<8=S!xGP1hXb8<-uSZKVVB+kw5?l2YjlpsR|e2*D` zBt_H8iD=@at!n-YMXTjV6Q2Ezkumd>nIbROVl=hMdk%jVN)k5-L@F3lvI0`FqsSkP z0Y_AsJQfSTi3k-s9!ddSbeCSpW;pgY(zN610m%u{JzU^UL$epKJPoU?YT&brMdAm8 zr-&Al5^8!bPo_W{aZe*}Y^Sl^B_$!ioqhI$sk^_Uo%EArt01~L(x$OmEKVgZw%uPL5zSRmsxs)_(l6-_mO7+yr8 zU3~>+rFDJ9=r1)jwI4Ra6}Ks`i$UdZ+!s=Vsxo&Ewni1*sA<-;({fRLuo*v{74&@Vor}6! zC<%Ef-$BWM%h}So@eK^ZjPSyn65nzTuZ44NaWL>PO8h`ygfq@O+Y$!)A6)olKwO-P zVrZd>c20Si(AG|Qqrbp`u+9boQI+>y-)Eg{Y-4}VH_DgoP-+mXev!v}6`(zUb7htmltW>nSE zt6(iE%%ueAbj$PLb6IPeSPf<|HP#vWlOJ_-tv1^hczh*todDzE3DoXg+y0T1PNG&{ zp&GqpaJJ5_VdLcdpPfNDG`o;2$Y{0jCy>S7i#|-aZ~ZnA%f3yXm3Jw z1OWrUb8dhGzlY1y`5H0xbQEz1K^ulb$J`8NH2&uY`56m3X+d)TcnhOE{9Y5|%wC971$81Du+fIjqm>XBWcOoHepc~|cZ=eT z5p0snsxa4CnDcWp{b~18LO#CQy=VU*=EM#_ab_nm*tyNJQHL`Yb%Lt1T@7s4ltBVR zuW;hXA8st_k{V-PNR(+R&4?w(hro@)9tBTslg{`q4JA_qSVC|W*|>227?GG=tgAL^ z6&=|DuD;w-*0F)kc#(u1D8`ABSutTM7al!t>ZctpCsfO4HDqqplS60hq8hY{-wX(! zUPr-$BJ~9*7(8-^vOK3E{3$~ngC}V2Lxi@E$suqYe8nR|c{F5jWA#dciSaB=7h$ka zLO6y;kUnHH|LMvQ0wEIk_2Sa>@N#$1>j3!tL+9no<=6Jpy$=&{kz7qF=w%Ei7wnJ7 zcc*7v5uGK7b#>D`zeFwr5BNJ?^EANGm?bj-8^oREJwSv}0p*HjkQZ_&GsufNg8;Y- zylY}q0Lsayl~yooVNI!6Z}Zc2mFB(Wu>NiQhk;jI^!+|DI$aiuyTBAoODmulY|}sF0@IGLn=FNFKzH3tgwjem zJX;H*{m_S<0488CPOclJgg4c@RWL~sF{GpL_B3=U<`r)(qWkPi!iPUcK2^MEfGCyi z+x@Y~y-~tkq|O9PM!$og3;Omxgq_>}S0~c%=6TvZ!$5a0;n|a1M2tsLCZMj^`^}Os z$Td`E>tr6wn>#L9JW1y$&v%o~{2`5rreo^VZp*)xcuBf7h7Cdoqp_FSQBAUk>bRnT zd>FQMTMb^nd3$*eqPBu2$*o_59O`WmtPZa8N=if%K;!s`Oq3F!mNHnE5|$a2H)ZGU zZw{JNfZ-5mWuIm_G0?`88OzH-^48gC`{^2uOzxq0(m{-8BrvSfVgGLTxVcrpiSRz| zaW(dMv(bBTYj8X;s2-veKFTTT6tIgIH4+G{^=()cea#slM-kk(178F`PHt+x<@X4C z^Y!)x_#nIwMAG^J{+bzT4|AfCo49PYJHl~?0+}KYVr=|%0rTm;hrG8*RUhcoM#C+z zp3H6k1YRNs#b0o_^wM?n{VV9WwD&@L%WU0E>}gu%EXT3XD(+$VRQ?z2xDB#gY|m?d z_LVrw8hkwUF~g9*Fd~fUgtOl|`J9b?h^UJPV2*aHe9_myJ<&Yjhqbo5hsO%WG@LKg zNPLN;pO8+1D|@aJN`rU}^qZaX9ZXX!{wkK!$59CVFKdCCyi{!QCYk7Sp~8KH$G5EF>E57fn{7xmK{=^tdFp*- zflj4$gSfNKU#YP@G`!R-K5n2A(L9o8q~vfs}5sZ{2- zk(Rm>bmLe>xS6ir=n}?Y&;(!~^6OUd++)zQA4sn}E4~zUq{Ro!Otk;{IFdk9> zvCg`^%f7V4Vrm#3(G|3H*OtOoTEf?p)6<|1Mijk~yZppR7c01{gcS59iH&SdK$n{l zB<`$VW_fHcMC&!m7CGIsP|?BJI$~E<+YQt!znvi&)$At{YC3%t^3)GMlBqH!WM4M2 z+`g<|dU*3#mj}GcKOj+(T^<&2jFlal3PYHQyRXA+Q~bEQ!&_hu>&3q*;=B!3F|m-L zHA|6+O7JTkSOKuKYQ!e(f1d-3Sg2ZyFUxvpP+B(@e>z;c1{KVubdUpU@!Gn9r^TT$ zGr0Oj`=H4Ng%|5ZHrc!KymSR#>QeL&W8h!T`jZPdFv{NTKY1)aqCs{hBdjV{hZ9gx z_CrrN1rFZ?O#M*q{bJa7(%8DPpk_J0!dhElXv$^S7-i@Je6iTjl$>eA0LWYP=W;eV zy*x^CF5}H|%Sb9Gq%x3^4{Ija%ApKdBkM_1c`??Wu@q_jKIT(EnI{u?y5stS#R9GR zGZk;)>)l4-$?@q%!YJvtyVcfb)$7Ex1q#WZ&6Cc>)~=G0A+hHZQElmFlQgwSHMOyJ zrgtIpb=RwGUK+a*3cWjS0V@*2_kCmchU6vC-X+knK_`5qi#{|=-K7@ZS4xb0tjv76 zzfSUVPId|ny|>1i=ylE9N}e8MuLR&qzD3EN1@Wj_yb8|V_ZJ$z&W$x)`VF1R5}u~> z`=ZMd;-vrX##GEcA>~_?02($SUF4qq0DgUz&hL*d+t>)w?N$Kbxzp?8J;6Co{JUq^ z)kmu{PtSs5PNQi)Oz{q%4VN+NkGZX_pmD@`jqOQ*?WI42y}Y=5-4(>t!JqRK#mitE zd3s{)so#&OM>s1&Ivbf*;N5|nqroV)GJ0nmxUqr~{juYvPdl;3Eu6~7I~&=J))O<@ zOPF&sOfaoIDx(SbHhX9Mq_N^e^#GJxdT`?VjDp*`RY+V}TSY8<4&u_ws;6Pz_G3Q3 zf6Es7QM50ayb2Yf%ks|AO|uveoiz@UOiRA-TwA|BkyI;PJYN_l_@@ zy+2Y{`CaoG%8MYo!i4z_Y~*za3(Dt2j%Yz(*P-@0;DqmJ?^MSYlwze}wbo{$JCa}ID8W)4Eib+J3>Y8`Lw96Yg19TlFIaQf{&NXrsm>+X( zyv#!Xt(6P^FvG~rW^m}B?@NYLR$%Tw;k$a@acrp>Y9UU4$v&|;iZmPf5f=q^oUF|8 z@%Mf@c9iot`)BY;M)o5+^Arut;wu1q>9R2MH<6nDAz^O#|#;5v2$FWin2JBuo z*SZ8$r`C>d8Pj;@wV)YiMBj&cTHv~;xT-gUg+@uUexlxMmRMpTeutNPX~oA!V3L!p zDW&$xO^PG8JvS8gJllh3xIaC=evY*8fTq5_k!`zC4A;7+)bxvU*sAnOTw9A^f<*R+ zVxm^;0fGu1P*^bccgV@oBw;Du)b>Dg>o|5C&0-Pr$~q>rq2{Y(?|VYJln5W|4(;aa(E z@Zn`gA`C;R=aHa{rNm1gXScG4=44>1Ax2*?J`@KD+4Kd3h9;rKIcOIIiLy~xS)0xBMD@K#6?y{n>59#NAM+g^olh+LdES7RjvT^ov7i&HH`={)@n9nlsaN#-k zm3|^blkd;kvD1fN>w6>7Dgo|Dc-*nyQ}*-xza!x321?yD_T=Rs_L3K1bV6Qx})^6_)$poNb!GXpOJTjbdsj7U50KjQA?|7rS< zxcl$IEwFM_n8?HbW}~eOGhgxi+=G{aw=$s2M+C<+v_EwM{=``v0t5&#&cl;`^sZ3! z4WCEYrM-?vT;G6&*>TYR3cbGRkFcZ6Ql04|{})B^pC;7}a;CHEgH&~H;&vu(|KO~6 zGW-}hInRLI(d!jX*6{05NZ}UYk3*5?gIwVjR17rX=L4irJFF~K#NBx!BwiZ2KIZcu z8icPr>z5fBS+JZyKbT=_Of(r(X78+>AwI(2t=>2dnCvRLK9e&#y1wH7C&9%CbbWr#J(&^e~K*o-2H$FaxLd$0cl7F2Moz z)l7ZQ1x&S&%=haT*Y7x1Dv`$w;hnbUFbwTNG8G|27= z$UA|0Jtk1);GpI+yrn9*Mtn5F$fo7Jk+b5 zQ5k}kZOyPSr0q{RC7uXlu5^GIC?nC{OZCBkA-=a&ocG zeBIH@-v{@i^PMK@6sw&fBAexW8#6Bd&c?}G1221BBZM9SCK&W}hb>~^tbgq8o)R)xj-73Z z&IrmpB^%@#15a81@_{Ek|4$evM@{tbN)wk@0)vKiO!O;mx!G!_{a5NqeSg5G#aD~* z6RW?m#eZ^d(u~%b_bKC>h5Qo+@*W5G(Zh{jGdN}h{bYvouX_J(jiZO*L*4XeUtMpX?9+-6d9(VmCZ5(L1TfN`q$vg5eyx)Y^W7=Fc%?Bip= zZAKT8^eCqX{#j|1(Dvx=I>;UZt4ob@>N1lfCK|N$>yjGO>wJfclB&C^scK+ENAdI) zv1RVh7+Fe2;=1>o$a1A#1I;DLve=h3`pi}L&bGLopv>s+s!WwjgoBNP zH6g&gB?-~T>U}kRZ-&5_z<b&5t! z(*x^5Yae~=#OKMUl(SKG8iYnPI0~y-ED`&3UIKiq5Nj57kJUAC9qbDn$Zrk01AmV+r{OuF&L$SdvqQ5dRXL|?13z43qTzf>0H?#%0aDL&w=*W|kTD#sWE7>i6o_g{O zsR9xTU#jaYgf}A5LX%&EzJLBrB+KHh^?~pnM-*aax7Rk724T}IT?VBaVQ-odDnv2{ zsQWKlgSmi$fIgcu*#}+~tH0fut$-Z(2Et=*+Xn;M0Q~!=1SdTOOn zI0#X8!bPY=dvY3gLoHUZ6&Ct5reFGt#w?l7#hGXg+-dE8Oz2kAjrbb0b-+-Z<9W}3 zQ9dE&GMit#{SB(;8HteDkKE-zd0BT%ZA(8Y5@cvLIz8Ldh%XZYt+-Q4?#VjZ{>YKC ziMcsvCdus_^^{qB%s4bGlfrXT=5&Y^O;7P^jwCdV!$GSQUG@?kEf1_XmBN(dDFfxF zmjvDNAoN=58*ED%_u73ZX<&&$66GafVJ-ip4W|pBQIrFSR@Cx+Y>kL@(qSxQ)eZ=< z!Vy+H-1AheeHc6OYCh)X6jXcyhk%hK^0Iu(^T9|uYww^^1lC2C)!_=}i_X7zoWBJQ zN`$E*_2oXYtfmF64)TX1K1cO9+sGbI5LN=RQXC^P1Et$1D0# zR?X^RWWnjqab#kvNeRjm?j!i}8cRE0(1yDYsX8|D;QYohP$I+z{7QO=nj@O1=J!z! z+taplN5f6cXsak3AjQtGuf9hxy2AX2mGSmW4Gnq60sro@xnV2e(&0SJ;Swm6BRMSP zH**`IK%Vgk_TwVcmMKh6LY=9*x*si%@x<{*z2jKCkl5k3g$D9>D@E;l86XeK&usc0 z=R6%E(Bg~J1a{(Mp%veD^7K+F;Vt5C;5l=ZW%<8LnKlk>_^?3JzZGZdbNtBuH38w~%&I;YtS#bJ8?WR~kI$ntuUU8+xB@$oRx+^xxw;pN zJ9J~VkRCu71LAl8=6zkz&92;zz?0nnIBj{Snwz$X z+$Do>{pVR9(c5hrHrOY{IJnsZ_f@|37jn1PLy~gncR=x^{kgoFH?=^-PJtlW($YF+q)j8&)=%Pm9OHXLx}V2f0wIY+NX< z#A2zT8enI~L}nznCiBC!D`?tG8i^ENx6c%WIA#I+mZ+ypdDj4=GvmcaoXYEAy>C}? zhV0N6p8Ay}h_?IM)66MGuZeg}{DvLDap26w!e_JzE+!Hf ztow<<7HHeIGHr0XBgldZEpvrCMLmhgFz*N*G{9T7JndZr46X02l4<*}DNCK|+7|U- zj2b2AexM<$r;Tci+Ql?%dLX1{^6K7;hQJbP-QnOXS*YxkFubtpEHsghA~j^>+rY1B zj+Pw=;irV8KeQXu^~b~j=OTwF#fym9_1~W-;Rg_hR+4w^Ca5p&nbr#wuROGs6NJv- zeL&9E#M0^yJxhJx>nOA+Gd11|(tchdrHEUBiT_?aXzw77lcbS^V@h$GhgO?rI>sJ={LtX7=w&E7oIB~*&w*sSq`d)o$gUN zB`J+8*EWCOqST0R8^o?LY=~l|REZOO9)K%PM12_7=^#VsF89K4C_Dv zJ)U~O5WBq!yn4Bn)lyDzTCa<)l^-__qHLkBpu{RgOxR!Rw(+%o%xKI|=Hw287Vt0- zZUXKcxm{>j6(;*8z0A2@g)9yIk9(es@}7=f+>G(&@P6*vb-fvYcp7O%YT!Zt4&TWi zEqkW-<@%K!yEE`@-B6R`uCb$Du)%neKA+bVrUkZK3L7C;^m0Yy=Yjl)i6FCOWQ*XU zbM4@}EnX;ts=H1F4XBw7#M7~21aM{)uNGWDLRkEaeyOrBVEmmfZY8P~OKq7wf2u#! zoF5b3Qt8)%>y;lFeq}rD5PPtDGEDJch2I`z%xBqzKpK7B5lq9~?&~3K3#Qv#$*hTA za{;Yr<;{wo2NF+vr7fz(0)Oq_TI@Kq;Lnv@aR!J>t8Bm5-|wPs2QK40$bg-|?|v2& z)n_4Tc1>5E$jJ&jRbn;%F88o~G93w;I&3o&r|)hmi@){OqAIp!s@FCKKR^5HmLA^v zLn7{k`5biST3Y%TcEC>2OWH0Oz^DHzPQ;-tS8~HiXkhlb-Gg@MgNTn_M~&!v*sa3L zov;58z+i2O6mp)7pkTwpvjiZF8d|Xw|U2+AmObE+=V$9X@g%~|}ZBMX7%3R@v{ZciQ&6XdmmJisd{ev8p<1+4n zVRZNYblT4695%TTmO&XLz5VQxsYFuxeNsYZM3Y*(n0I`pA1P;6Z2~xNA4;1(6PW1K zKJoP!hTRaMSsoOy*f$iR%Kn34@BOW8iPg|TqC+zn#_aENBfKuA+FXMh=Pv1^_1pmh z-qog}b+p&^pz5ct*zTRbGE*>Ax_*MFv6AYq9rkAZi*FDE*nK#F70Tw5+ojmEWw6c@ zbVwlrpXJWRO{@sDsW|`-oy$XE3|AK6zJk>KSgd5N=Z5dLamty3su*OQIs?}#b$(@M zyZ9P8_Vm0|`eJ;(i3aUP^KfI29(f)Z`W*rB{ExNO5E3`xL&p@znGR$aN1M86qa3k2 zbl5K|F7?1>$}Pks)Wr3eN^tC%C%U5s!yENj3nbGv7BsGjGK|6l+f z`;Ma<=@m$hi3Q@Rq^Lmk8uO9yY1^^v^NXdmd$oi!{;%A#pDFt0@O2WN^4~Ff()*TA z+s)$#moiF|>&8QCMYR<1^ZgEG>}Oio;L9H^@ax0#RZ1FJQ`5eCUud~=)~9a_uk&_r zYaaKaRpwxsoAN(?#Efu1w<0Ob0T9 zIiaYl_CZi#R=T&j@H%Ec`0E+A)@9w8vI=7|ppBUunU^fq2BnOahRW5<2Lmn4IZziD zT|WBAIbS{jKN+^A&>`@JAJYsi$u*l=39KF-o+ibb3hVJL>Pwadl1-G^zQzU>tK)lp z#PxvUGvmh4<9pv}U)Xu29P2*VYY57O$y}i3rpgV+YC#{wN?QiVAiXB>&0o}VjMcoo zbdZ6aUi6QZh94SKXApJg!;(r`VIBs5kIx8slk#`~7MDHwb8l?E_a1NAbUUlr%UD#k z{k2F-TbvC#{y*aFC#K6#?q9Ooa#8Eb$5_{cdusqw=5nb}=_KU^anEV&lsM&%ruUFW zfSt&1RTyekGve+(%jO#%;f^hh3f$=vP{~eKOd!1zFHizFdv~7bCmb_y7U-KkX)2}ZRTBmEj=U+7~{$o}vT7%4)NSCt13wPEGa!293 z&B^?>i(H+8-Myf_$e_@bDNdP&McdMe%aY#u|Hb06PM zQXt}A&-PB>x2|r*skUj(I`B(?YqaI?cah2zb}Ob7-QI-S6QXIwlDy1%d^o}xLB<%E zJmJ>Q`-%FEw-Kyr)NbDBz$9>8@aRKdwRGwifpJ5ykxtx=pbzK#M2okf@QN#)uc?uG z3mPMk7Ki1!y%DY8Ue^0i&e)^yJFW?FJ|eCmMASpM?zSH_F`t3BJS;B2F7qQ4-tCqs zoxHXGRc^g?Bwf4!%8OMDWNnx49<}-sUfa=Z;RrdBxg~;*=^kU;fptw0k5ggTZ{fN# zLA(n>%`l;nubwR$;_hb{Q_qva9noECcjfQwl0FxN-}A(}{19*Oa!}o$V|nh02m0Lv z`VA4AAQ~X8Uk&-{P>5}S_CVcmFfE(sG*lu#R^k_lHeb!z9_A0?Q8>IvMVseQ2S=Mg zCi@9etL|q{gwFk#!i4I*O{Xo_48gyyVy|)?$seF-os*r1boqmfZFvdbg=t*NI=m{A zj637EuLEW9Hhe@Al3-@zp{M^WFby0yzUu7p?2h!mdr5el6xBDz~Fl z!)f91B!WzLn)HZMUV&rv)8})n#(Y<~%jw7F5~iC}jRY@yB5J?h_Mk|5P)hHK-w96> zQ|8_>tdR%!!s4ZL+X|owK24OlvC$qlA1Dko;|lPpN!AWL=OcUyGHx3A@_r;d-oKA1Gf0V=@n^>zruMjg2eHb*^KW_AuRPFYVMQtnSiulizZ zx#qhwKr>6_Ku-7NV&rG{0hG8f{1vx2?xx;gLiabK&E$Ka9kabKxvGT?-NBYR{?*-e zWEvw@gxC8GU-kJO19Riv#GP~GR4&l9#R%T3|7!@FswZS6C3ojFapc=w($Z!wvn|vZ^yoi<6q7I_k||4~%Wj0!{IEf`FX%0;v7mx2cA( zmaU@XEKa;sMGqD{+}MypS=}piF(Xzc1qi!4v15OIoJc+ zGrlXE3^bzg_y;!BD_Cq>7-U~tovxy6D;TB-tDR2(_VFBs3b*VyrrSh=hxk6NeW%yi zP$mfj4Au9W$!@{zbwa(XFjKoBu3EK&OB*&;hERT;QoLMx=S5q6lryrTJ2#hFkQ0!I3q_{Ocr09k)ni^ zW{M0v_%hP8((yQ_B}?z7{6&@Yx(73ml(-Zn&^lu?<)xp-N+p4aFDdK0X^ zW_sD1yG@glHQ-pkv}tW5-z94tLv$xT<4hlQ6dL2)9VI!ITGj(qH0RnMiS?v5SzYYG zuurpAbDj?kIEh_xlg3Em%CREF5@8s1i1NBFVnjp1DorM!$!VrBLRB8l&o>T$OJ)N| z=kTzh^^@DEPQRZxtt7b{)V(o2`25l z6?~H$cP`jUd7~?^h#gInPhp`AI+ks*tMsh;4HFm_b(;r^j}ZaDyQ*vu%Voqz=H)S4 z%aepF+Du`mAxAFn?W)!*_M(OaI}rn9J_E=R7gwmhJYqIU6Fs}}CDw}Dsedc4cHf6P z2VZmRoj6=g+&W9FPMmfjw>9W>rWS*=lJ$wmP#u-;iphFCI|w{C=GuZxw$Xf*qH9F# zA=p%=N(z-=)QztE(ObYz#G>D_DZ|uU6AWdc_Yhgi&)ELW47S=H-AwkMEMb zRf7e#!(n+X;(;`NXfXF&(=AkKn(py^6E&N#V@f3^ZmPVy24BLww?brEi%7JIb)9NhK7#cH&2bGFz7a+j)^iYk&l6t7j|^;pA-V|9P} z3c`nk&5eF=j^QH5(Pf<$>C^&4*P8uX=u1_jJ5xRj8pZb~T&GiNS)JFoubkg;))P9} z(_p#Q-*z2P&u{Di&zO~nf|LY(m?4bW)1f{mOporMhsaOG-8fsK{v)F_S;hl{niN*ohE8=WA8KCSmI8k&T3Tf9p+t7J;W5Nsp8KO*#g%tvK+%(G zQ6pqf)2r4}iA?9Fu&j~B_Hdy9Ju4n8Bb82<4SO?zq2C6VOJFlj)-fUpC3v8$P_BL) zP5{JKLMOb-ovD-TA~!3FWlGIUGUe;o(??qea>&b=2M;SC>pD8FLU zryDcz3%CI^a8C8y#J)b7Ih5&UcxEp z`(|TRt4!*)?y+t#>RCjlyR+5|OEC)r-*}zx@x0KDOZ$O7jE$~fVBGmYCa0_1nXc@# zXQG0lq{f%!+!G>&*13l2vdTZyNO|eN5V@?bLTU@t4K2Fujj2wLEg%MJ&08wtOqJ25 zlJX@kwsAeYH`m1L5VTh)L{YvFQag|9F8?rW9iCtvPI>J~p~03%2{_!MFOTW=UA8rr zd(wE~kAJm5sY*CC(`Mvu-bzRVsP2hqmN?~E&-qK;Z_0XQkY2_Osh1#^d18O6^K|L$ zMg6<}S4*vaPji~B@Zn3706F@B&fXQC=U6HDoK^_xDOn_3rDd?*^pOnJRp*i&#hN^H#K zNwSx7IwEt0*jsha$-Yj{B(}@_PH*1``bbm z&A7Zs_Re!?#}P~lhvUDkvuIqvMiR6@Z>tEahu*>58NGVEIgFrD-4lQ5XjEeL-eefj zlDCMc=7=yyM6ol_J0UE4y!sSq zsyY4mX#2K!;P*8IPXCi8heHe%>77{^W(iWByaK6l(_?Ii)$O~_D7HS~BN;QaMUHPQ zi|HNpIVju01^SQ*EQGGMrt9#HC1-}Dq0GX-VmlS1Vnr~gCW1ZvnN_Pu3D-_vEv#h^ zKAt|9)^gpVZ$uY2OJKVXTu7sYQ=$hzK!}~>Iptrg-kiMO*9F16_U9^Vu~hMepz#7L zr(uc2zzNT3#a6RunO8k+OR}!`RmBRf`!^v;y4M5Vm+O!idn!v&|aUS{}tcRhJ!NicbDEwwt}Sm zAu5dgRZaE-P2t{nU(FR(bxmqId6Z(=mF`F=j@7~Cc&Di?lMw_kW9tJj0tha-+^bUy zKKVF?sLLb~@&8_2&^0D3xo+ePDVMt=(BZ$yYMbHCkq-hs-)FVR{@tMg^FQF#RrVwC z5r?qY{7oedtiCjE1e2J5@CdDhbo6b6ro)zh9P-jtKOEnpDk4jD*@Qq}L<`%8RS_Tc zv$yE^y2L&fO`f{Ai$zv^6BN3BTyS)7uWfnUmOgfd7|319Htq}<$Ii5H947|ltR5cp zthF{@*9(vVIiFu00j?i_QN!PEw`$sFbrEh}b?GLN>q4*|)rX`vMPMkSpT5o_WF8WU z) zjL3sR)k5N55vvhjBAtJ3$8%`(yOBLH^-A_t`)IKX=*VR#AqqzlDN95ZYewJnI^Hr~ zlSfNwigT1l;a?U3t%!|i^o4I5D=c~#P!}xQB>m9KUXwiH5e>^;e>#uGiQ2Axg-G$0 zEAc3VpCD-wp6c{fmUkWDZ?MjG#T~Cf8+qcPyw!GsXXQFQe(I-SR}Mf|Bf$gRPUBts z?a?a`|0)(usaEfX)X>R|0}@X>M7YL7telxcc}r_ffoO=p54Z0!wK*&>GDral4Js@x z2wJ_U%M-;j_!hO1=93Q=1KG*MIBv#u%Y&+l0%GO}68YSc5z&IOl_D5sB{s8%_XIR^ znog6NPWO-H_{`q~qBUfk-Q(&{9WQ_(=gem@el89rxB|;_`^J1^wehwz2&LUXih~uX zN{k?O&|PaF(^+jdPB+dhMtPAe%1%O;v%Mf`(cV-7e4sQa%1b_bIU-)91ahY~cRnS3 zXZI=jsWqAS#uu@w{brlX#xce~+T7%!(_VNo9TGm=%3Jjui>L9nWBYzbR4V{XwHa=? z=Ea(lxQ`+5XS|ZCu2c!3RT$4=`hC0-joqoZ zz1|z;mXTX$wKIIq);-%QLNHG=8tSD3*2|Lv(iM|JnirYN7%H#x>g2o5%6hx!NlkNm z^XBT-deiXwJpwPPniHZcJCc#RCaNGo$30KX>pIgf2M{gUBSLw)zt1qM$TKG^UCYPd zamt*4&hw$khT}nY(;fR$5xN!EW%%WDp#ay(V_T>4l-5Tm_Ma!pWOZ6C!Nk2%bU7LZ zMa=@RHe)_N<*I8p3D}W0OgW9t^24f`UGC0#+3IbLo}V_)vSXT9$AnFnG-)dWE!md3 zbC{#BdRT8rsnbj2CYUdd$F3*Hl&gWSzTazrN3VZ?0ojx?gijNWmY?Tb*>5TbA~lh~ zMCypcksz%+fwKKX>3B^qBZ%zZU$m+*-Qop&7Zd*%nU!<7Q0?B|rEkcy8F75ZyYygR zBPU*~{kZ9pBf${0!@vonMy(&u0tLkwqtv(qsj>gC2qp95D-KsHL(0_A?IESW2L@$g z652z%3gXFRSU2-Y6*hL_Zui0(mY?JzzY4Tz?^`AD;~`4O7@jjHyzl- z=X%e%U&{Qtw&Mc4mQ+1t88$RGc>of@gG`+(3B1l=J|1!80e42$?rR4(+X) zZock2LRuFlF17%C$1G&_sKICwt`PKZI zt27DT`%%u=2d!p8~se+|X@2moeZ1->1j_n?eV+Zd}MPp}>l}u#8&q#&R zFsNKo;V)CXSxb=_AkOMQTSfnY*8UD9?ZjFLGSo5=kcYzT^{&aB`6aBMn&(q}8=7cS z$gC#WM34ResYxye1jbKF4Yc?@N|e?8eTJ4<7Cw)sRBv)Ngv8QHVM@}6gCeL{V4iFB zLK7x|+`w~DxN2pk)Q02p=s3y#HU}=uG^D#C(!i&|G)%D zS#)`x>E6w^C#ta6ie*Z|FUNC)fP2V|2`35dmo}%cX1m&XTwssmX*@T^hGK$fA`poi zpC9xBnINj{De5-al&a>0{W}H2jFwL4O2!UDzuyl(4#VMC2 z65q{?Q_vq|ved#f#_~yH=!2Lnml=K39IR7dBdzMQw{;Oj+@qEn?IV)K}Y0 z5ht_YmB#kVUUz)zu4=Un?8w3Ko1tQC&?f)f59BvBaDQMdj>nCdOg(y4M!kc=1WLjL zwo2}GD;z`=#Q$_vrbj>t=qCS07yI_}B?NPz+4we0P@j~yS!tFmue<9Bge1R|kS5c2|^k z^JyZEPqrowmxAp<>u4r7Osw27`5fxAnYb)`z8}CpNknQH+l>+8Nxx@P%|km0 z)2bPm>JU%M;r}p!?WfPPa=E|Zducq!xoQWyhyUdRg17$h0dfB?ACTcL@yD;l?kuPv z2yHTJ1rfG@@Ec*?rA31oWaIsFjxcbQ%b>B(EA)!ycmqAEX1=EylYVjk z%}Zh0Mz9DP#pU$)!Z_(65?4IA1@CqheY&r3O(`1rz31#LKF@cS=emUnlY9^i#zD@z zCTEQCf1!Zgo_|mPP^LX|tnQoW3`4WlftrFWXXt96CbBwr*5icUDN^Cjko7{_Y!GNO z)U7Z>n4cWwG~g7`W65BGoa}XLGa1se=$h`+6t3CBiv7}U5x%t8Sc{r?F}erppB97` zJiy7!i9WC?s>$~JFw12A*WS(Ah zO)UOnGQElbaIj$ghD8p>Kzo>}cHpi!ryy=f_oy3xRJb8s7nk}XP?RPikJ5<%mZcT_ z#{&7|*V_O^(hc$Z-dgA&Mr=m#Yt$kA4aqs4UaPFa5otA;e@9 zPoqh+{7QR>4NDpUl!r=I5&f((r2r*VWRe9*Y^Cua;I6C!#HvJk>W+m>6vu7v`1Egp ztZm8i>QBwU$SLbQcY3+`PTe^WS=|U#mp_Jm*j;yXpfBH(5q1|wHeMH0gj6Hq4PTTE zlQwn|SL)_R@_NCfm0y%T7viM&jeijmVv*k3-k=Q%3(eB$oXSX_^$F{wt82FKojk~; zwOl0_0InZzt;|ww|NWmM9Pi+QwWU5;MYy%danCn}daQ%X`MCccdzp_z-1f0WsuVFn z=yqx2M%Ty|d-7Yl8fr>-+_1k^nZYYZiCT#y6U>@H3|MD&UKK9qOjcC-Ib)p9;VR6w z!3q4+9*P8o?ELPw1>-$jz>Ajz&-%)QVrefR1vV0QYrJFbxLorFC8CqCrJjOSsb;S0xh)_{v0ujQ?n&?(BgSbk8rFnPCeXu4o%qE8ed^5 z(R4t3g+9e6xx^Z>Gv_OWxNBPzoQGTY%(2A@*$b~p#HRS+l z=va?-_FZ#Ya~ngLO(jQ5sm*1p$w@19LqX6@RrXzFS}Un<6LlHg6^lh-vrWdEI{vsw z8zj-iZ0|LD!MqemXEaosHn#GAni?a#q*x!SewZhpSnt-zYKXM{`F-h?&^Gc}z!9qB zU)h>7e7Wy*A026yf&qEMqE*^m&_)Z`Og-AD=?xVmL&L4qp;3xRm80$|mu2Z-aR!|U z85P5{k_JWDzSu>o?`AFa76Q%J0o>lX=NjgB%2iG;wE|Jcqc8^ajy;HRBh^t8R%XCEv5t(qu2;7pV zQ2F{2YCE0FE3-V`ZfnS$kQ*g#)uj!Xxu;i>hCD-GjMng*gC^ESoCh|n!I-QBm>G^m zXy=^T9Onv`Ug@=PRZ$${ZE1?gtr%)StSbwbG{;VJiz*9C6{2d68j=;QC@sSOyE^o8 zgH1*T1Zo=-HKj`bH!L+IChysAsL+sx@mo=vXn4UU&*iWrc995$=@8ly7Lr?0{EG@# zxFkPz3giaE71o~9T}0CuGF&jx+(G=5r5U(?hbu-me9faKfBdBb!@#349@bs6s3}`{ zm^d#4rzI<0?$w*D_|E`Hl?J8$Coo^^x}mh(k|HvlZBvn=)vv>Q`Tip0Wh%Xz%7r}1 z>1|a@g+jVHbxVW7C3VXv(&QCvsmj^~P$}TQW6ZQ_Jm8adqZ+^hT6Ly}UW)0i!p-^w zA)@WgZ3`_4E8tAL{Y5RVM?)XQmg1vViy+%W+INMbUq#=oaMv3ff4?s-SI)DR-} z2P9(h28BEae!n^RJ1#s1P3RNg_Vx%d=@mDgTEQt#%C(W|6YALc=$wARM1=nPTOqQkQP8>W1l4wO<=paVr$i_F zKEq6WI}K=kj*Yanet#W@)|T+`gB(6v9v+4(n|%WPCVaZr-&z`#8Y<$%t^==QzSA_Gg zQt&+W5e=~iP(I452|yw2LMsq=w?h?4Mcpty`h?nQX6TslpuzVESc*$Y{WL44jaft9 zh|u}PprL0BXx2Vj9x!$hIOFQT6~4(sW%e8wz{oDr#=cz_>us(KbPxcW7*8gQx*bBe zf6y`4$@_O}z1OfFWMeq{^Y;U$PJ4JyVJmofu`(VjKX+o0DO993oK_+_nmZ_qvfal+ z4&)?UEQUaLO;q}gf+N-bglxEjS>rqelk+@3VN?r&AL+Xb!BT*pfV^Vo>2r(hC8nr# zY#$-PiGj#^^T1fOf=-uaYkIVt%I6lMEH_kxs2R(Ye z!WdzccMcoWBjV9fXK=f1s%*IUaTRaz=e(Lp?7M9}^Wm zvzR%uWYS0LdqIL)4+5oT`c%2Waw(1K%te?pgI{H*iFt>Fk9-ZF*+2iT%tj{jDwFa4 zrV$_UeIOAxPu~DGUS)pCCXVYph$F+Gh>O9sL3cjWHB44HyEKbrk-X-_R?YH6Oi!j* zCdYlLAx8xynqP-*6Dy`3wZA5YBRlFqNc|1Uz)E&EQ>rZJM;nq!GiZ|y^N(`frl80GCCA- z=HjT~sSO8JYVE+z83S1yTmhoUSd`=Mlv!BHq+wiHP*Z~|1Eruq+P zo)2SW7W!SQIwXuaQ@PdAw)Zg|jV}z=Ukgt`sJ^~ABqqN&z`B$P_8e}) zdb6S%d;&T!XDr$pv!YfMYc~mMb%&^W+d0p#ogT2uB($}hW{|^{@Yt%WuB{@Vv(U{6 z)LxH>GOo4k^}q9cc2MpYrvU4ID4byY(QZ4aPphxlZLVjS&$Hx@*7nYj(7imD+4dek zBLMsfP8cE6Ust-BxiUo~pg=kdUBBrDW;8VX?pR%hS$-caASi2xT9&%#m(-P?`zhRr zKK&`0r^`Co=}oaFoQX*#ILM~VG5y#@cBrg4rpvGI%r+zz(6AvR0@JM{_vc{&Wr8B)RyFvU z4WGzK;Tdt=1amNyu}tlR(o*v*qj2_;g3Nv^ThlVBfj0yMEQ@0~ItA%ir8TQ2^h(fow0g(eSzDUKqUR~;(5ah5Z*M}=*>bBOp zSY&X{#D!`xbjT7KH46bqXhRKYLBL4($YK;^Svx5(r%1<70nwvVz`@nf}glDH>FDLZ8?2X%ZzbqMnO;d%7q9>DH!B*KdI zh*uILj~yoS3milY#Gyvq6?N#H3fniblGq4DfGr%-Q8zcWKj3lBTXhiDQ8iSH{-_^# zs3+dwxgm0J-^b~SBCFKxRQ_diMEyc7=1@8FQ1;QJgY zUG5^vJ&7joF1fJ1Zd2r_wH#7N`RMRVA~;%_!ip?!?N@ljy5U#1e()@&EUcLZPyYG>a52$McINUc9eQhFPHV>i`HD7 zqn7Kv>|KXo&MOjopu_!T&52J4`OeY)STb7)fHFxsO0p z9pcA!rp`T-;g*VG765Of+snY(ViD&q(VK>QoyUJ-Egkm=^L8GqySXmq9Zai$f^2+s z{!NQ^?+4ZbaBkH?59_It1;XqfM@{0>?X+3WfHnG$MqTHaILaxlzM*k}v+(Fsga0O> z$E7>Kr~5;1^iJ6C#!#FxrEo-BbR8pbq7;BTLgQ*~)}v`Nu&S9^%z>eWtQ+y}HfaEgd|QqM5hWa?xN{GX=2GAxd! zX&1Le1A*WcT!Op1ySu~U7J@Gj+&#FnxVtB~ySoPq5?lgjljr)b^Zx4T>FVmcs%3g+ zx~i;tdY&A1;<180^UZR6rBWA_N5Flzxr=l&SR-E`bAtme>qBQf$2qY~~&|15D~op@hKYN>eq9Z$#`NguikM;l$MIHIuO zHUZxR%8DI|HA4pR#dZMI&G@FGo_J89Wy#vU}4Uw8KusC{*rU5e-|cFNDDmx zJFS?z3tanS3cX)jH6`O;2WHP9CNz@$`8dt2wdoRCj0YTlp(e;|+^9(Myzd z(m!+v%`as%@`m=ya%K)ja(_yUcWy@{_Mwf6n7!} zb4$1Sc@$QEG*y;0J8!?|vIxD4;#A|a)6;}$k6DCFT5s#d3QRD71D~3G&wsSy z)4sti>iq8{_|w5o6Fc>@%?q}cR_l_lQyxAbA^DeRLIKhip`8FFwK&%sA&o0I6ka&n zqX`vna`{TL&1x2zm!mzDkO|M?6kow)u1N7!+J4T)^T5kpU2Zj3v|jDL<1+ee+&#vx zWENR&Yfqo1f^{?G3Lu8Rc5RsUOTinR_(*S5t@;rqYH#z-CrmapV zf&S)wtn_V}9>J{5b&PDf7MsK9V#fW$5>-;Z5+TSps;)|JT$eC-6}sDu9JX4vk&Kmz z?GA6M#^B&79 zguDtF8F1unttzOF##Fi67uB?++yRw}DB<|#7P+x<)C=R(ryAuXjj}qMC_ne1;IoLC zls7Q9qAe^3mR0Zib?HUD^(!xu$0wK56lp+O&|9R0fD!%u7X|n3bl32hdM_!PkQ`>X zC$_6tUVX+y?g^=g8O_#xEfuL3&Ld5!i`rlH&E0htIfTKoAG%ie%a*qeZ$hN{Q!NhK z)4}ozE3dj#$;PmX3*d(`riL6Z*=ii56N~G=YO%*WlIZC#@2!E1 z9Cm}wzd6;PXv%TkSt{`I8|63VF9K18t?NU}9GW~-74B;4M68;-ECG=aYaail#vW#U zmL7_$2M62imLfk7a9aJG(wBzfEjzo9Lp<3-tA9MW@U~nSa8b70uWM)@D^(fY=dyK; zKChi~B-K@qR8L4TamYG#&%ve3jU^`%gZN*O3>w(Q!r zH{wryy!z$&)RDOwUlBQx(!5R&TWvL$J%a7j!A^G^(=tm7JawQ?OX&Bi|1@FCl}RbwA~rVM0ozQ zBbmeSEf4_>S0>X{^AcvFS-^a(i0hC(L}fFB@Es>pEXUgQ4U6Omg5iv#{O9NF6$_j3 zG}bjW>zndrpmhq?n%x!>k^cO7_=X3yq%}L-Ni6>y*2t!=DSKi_fM1XxYi`a-PMTwc zlhF5P{7>kj(6G(lao`-h`a@`T28>pk)k24rXMK!7Rzwlk%eu9I}uITOo z9*RE)(;;TSTR*UmN2*D3P_{M~@QRsN!M*lD1d%jQ-vJb;7N{N^78c0?GpfjzlS{~) ztZfZARP1=e117Sm)vk=W2dq(&HuwwK+l1kkfdI;ZecwS5`9bdAW&6$`ntU=V0-Q(| ztZfll$Ky_f{_xP$pnY`{viJaIJ(%@-GW})Nh^|Ria(#oaZJQBG({9f2^iZ)p$w9Fv zbjG8Xc_lt^!sF2B$Ug(Sn?;vV~|ls9F7!UmNgP8XAe zt3F?WN?ed3FTY*RTlDUT6I91l(+HEZkXqB&PbH)RZhtuMHQ)mc`YGakG+CCRI?%Et zE6N*g%a~vO0%J4DWN2csj|5!xlW&-`b+P+nRyER&D|#*juG@xJaXiCW$sCww1tKv^ zmjEQjO6RbL$7HBHKCxpae7}bIG4Xyi>pj$Do+5?Vm!Z|fb#2I$5rSjEn`_VyRo4@! zDRCVI3tpm1%(H_K8;BwV(`3VE^|_ePM(UZ>NW_@B&!n z6I?0G5=+N_M5Gp6ijJ$vDrvcnfAl~xYmDu`ib@D_w&qZYpR_@d*;lZCq%Db0QN{Xn zc+BLZmZ2eWVo&=;I^O!`Aw)`fRk#5YmKMfL&eQEgBxe>hq^W6(Yb|@gprDjHI&bby z%~Z|uGpkZ=;(&KNr{-Y3FK$IaV^5u@f&BXq`>&js;v3#Dqv_e9GKU(<$}*tNl6-4E zL=L)MBDdn;;)45`g@oB$CW7$alv2dm4>zjD$)w`8a)XG;;2^$`@u^RWBKl{dm8x7X z@#;>0PA2(4oIKI5G8)QkLWB#`36qM~0K3XuF@ALyr%AP8q92E8z8MJpVU16QS%;Nc z4K;H)M+8Xqg@(jfE=P8>wArsGawX_tw;vzy>%i{5-uAR{8p0o?CESkk-R??wXK5(2y(t7(!24VSQ^ zF;+M&ieNqcc5Zk(Lxa3ka^1zGU-g6r?Fy&_ z$?S@&NGRQL4eM%}O@Yw5`WZy!$=vwK=?dx%IhLD($Z!^SF zWLce#>(ODDx@dEEU719(B5V>tj`A

  • hPxj*Eh)EG9JOPel#Lwl5mX=miXc0}v)-PBU z*OSE)bt}`16Gbb7=MuYHwT>kdN1v$;$+j$y8PPlPcs^Z8(UKk~RgOxdzk-EP$i!|z z;fbAPvlG#Vg&d`b_vo|4ZON`_<=c$K-f)saZrE%2%ERm5GkN(FoVKuaT?RP}hRz+e zT`^~S2g5ENSNTRa2mE>L6L9#)57~Rd*OSP9uDHEj|?x< z9i8*|MO3^A%+mCexo#N-dL}mxt9jd0C1dT_y9Iq~YPVxZz#rs}bl%8|sh~9dNFCqZ z^t~|^$913)@%wXFtw<203x%hPA8Ii`+=2i~EF3vr!ipiNEJ z%VG+vjP>jm4$jwlit9_8m3y zDz06j4X^oK{Rsfg1A+KK)8(cevk(ToMkI>x&^h zV+7TUsGO>NN7(*zNV0ye#2v*OC|+&;j;RM%1zNzffPih&7BO0R*G0FO*$!cwm zWK>PmW7((ZYLT-+KbbF4%0$L&D2A(v53IgwP%I4;-k3Sr>#r^p?pi5HH#Lq)2cjz{ zCD`|)7ME9(R%kIIRi449HJKGk%V=uHYcg=TWbxHmza_aWZ_7I`usc$H1)*OvKwkLS zj%-Rx#IKAQa@W&bGweWk-JW>1C*z%;%gusbLZsj4sT)I&wWoco!9HfJNX~~mL>aQ7 zk6dSBRqD7&x@C8QIkpi|tGSEdePre|Lc0(09MX~B!CEqq(@Og32jhZa)DK`lR3@DU zoH>X!_&fEHFtn5wR>SgfAk&lputwr4^+`osP0WFbE?6Hc-oIsr34tV_PvwX@D-iOx+kRp6i8o3Ia=8~4lQIo zl++M1vXQhOPxRhi*!AvRNaok~zg}zyA0xq^Iem08^?7)%f5PCj916r8MjvP1NoXbA z#t!ISu__vMRX9^8Isb{t6%Hr%kLm8FushqS_Et?W2Kl>h?g_6v zC3D=s)UuyTH5&RS6Cd?C#mm8V<~33W9sBjA;G%U{H*D;!A1{Xa{-4r3pHtQuP8xtE zRVUFU)au%NeO7Eq+O0n<-gba;}UbVgF3olNVkEl_u~F8iRx1gJ`+P$9tVB&6Kh$0 zg{~c%OdNFausAu}q*D9l9*F{77!@aJg4qcE@uy=a&d@mW@>(Puce=2|)mbaW-ZnJ% zkp#|#;3Ts*5ULC2-n1J0m6qOx@MpbTh{sJ>s8*As_i(sl%bS31ld% z@Gc#?ZXy~@OypMI@U2AFuWK^jr^wzp6KXeyw$`UKfqP0z2$46+gE=aK3~1Va?Itz zW+;E22;1O<+hfFna?j=|tO#4+M95tjyfLsG)QH*9<@2y6Y+w&rCzwSITv<)ab{JQR z2;{OV0lA}=j%*B`*_(UN?=AdGXB)Y!X#Q;eyC#_ZM?1-71*x7y)5OZ}Wk%T05VNu} zc*Y^40AYE(q9YDTQkMVGH?#7u{bdfRKqC({_kiTFx&H4CgvEa~A&q4e(_cxlD$ar+ z7$*G&Irbrdn%s>Z${{TYAVO;Biv7n$ZG90{0sq}4uC2(c*ythA=Bxrgm2q)3zPA1g@n*rkvfDZBq=f7isUq=R1U{-GS` z`6uFk_!PXGVpf0Jid$Sy(hf2m63+Wv_T5rSfXxaj|`|C8L+`=5-!fH8WM zyy*CJ@=t=HnlKq^vj3x)lDYp;73lw)I$USk#iHnY_VFK+V=FC8NCox^c&aIKwCrV=v~jLpl)M2WLTFK7$gP7lpX zhbL!=G6!m5#HL40)K zHVJTRZHks~&ogiujtfN1`;qdR>+HQVP3ei0tHJf`Y*X=;(v&dN3CzBanADNp%W>o)!Iy1G_)hUTlN%_Wlt{oxeb{pqR0N}+WW6ApjjE{H?_f!vh5fWg zD}g%>`xH#?YRZ)-yFHZHxKy-JWT#Uoj3c``n1b=r3k2 zQcvGF5`0lAT^g@R*Q_i1g#A&!2>Ca@9bFK=++LY;zfBny@I3phsU9Q}?IQ#pQPVkZ?C%HO14Pkc<^`4mvRBqrLx>i+ZM1Za%M@gcV|2jEkZ_L~`oZC}C6BSJU_=0U{V5JUE{Hrow zefJqE>FsvV-O<449>ihYRivhPeH-?3)t6lOK1f0M-9p8b#CT&se!(L~k8zgDFNo=}U@$(qQ&2_}_vK;W2-HgKlShG5MPM|CtfU@2)ca+}56 z-u`wmr?}91?`mI3PWf!)gIoj>a*?6WD;{bu6 zIVMAu$oC#)y`34Ze1jT81FjWQUtsC9HE^IK{d^XwVq_AN>C(FE5KWR8l?gGONX02{7d*3Dioqe#ZaT=o{b_1<>S$l&Cs+Q~#EbT@ zHcBY3q!l+}xmq%G$Tn-!f0X=0Z}NFJSLqqQwnL!-bz3{Dh9mXc+6UNXYsVP;y|Ly> zxJ5iX`tL8hzM6GCY0ng#^l!=Tjvy3dLzeC15+Z19FVr+SM#v%Jfqt*!76KUxW|W9f z*ATYyA6qrFz8{h_ztY@rY6+}@TC=s}d~s;+m+dQrxI?anlf8}O0%q6I>#nGC1< zp_TnO8uz31AdWbta^OnuNC;zBs#@9`Q z-UQ$=;SJM?eCuIcFd=-ihO84w7Y9rXllMx&H~6Ci-kgBz;|hI-bphHHA0(A`V3Q;$ z!g+116pbc{s5(LXXvLOI3O}DHoH`!eb2ZU={Ljubo2BL zt)+}@7(n8S?7SAJI#6*&`15TpY%Py}MU5S-4)a6bnfAN+*}9nzRlFidzMfp;SLqiD za+6)w$Yc;j<`c&+J7=|jzY0g*_((cj47OWF=yJob?6U+@S{3=fRc>|<5s}rrW@BEY zQkKJ>C3@>sRu7zTNRoz>>`>>ozXAaZ5fn@sH0pl6D%rNyScHY-rRO3Q>!aeIGg52N z7Bm|=PXbTm^t!X`0icB@6+^&+pi*gdCD+Oa4ah!C7dn%j6)TCSGxD9&a(V(`? z6q<|MzOGHt+-<9^h;50S(1;-`+Z<2YxcyTWeQ@XYr99NnP^n@__i8{XlVlM_;0Ib+ z$f=a@WKKkBI=5ZS&hr$9I=5}+A(p))*i5L89zQqd!59@8gXF6`O!1Itk1r#rvf9*h zhkw~u??1GDzTMM(+gt1-b8xEt#n{wr8`V_&<_FYSyS|RH`*fOWCVtH6nfKvFJ846T zl(ITVl|FK59VnIY{u~=1X;c@u3ZEybo{O4MPB7R{YmcNzTn+h$rq|7tp*NvXji|`f zrnzIG&(S2Q4$|kibtx!=^f7pPe%Ij`#il$WBCWrcFGDZo5W)SYo2WVlV0yj}S8;DuEgp zTHDaaS;ww8wlp|do-TcBVof!nuGBm*sdrX6FiAq=p{12+kHSB;l28eik*-IY#8Zi$ z@wc~%9}Pqr3Sp+tO5rEC&@#GqT7J>Jiao(Gulue{r~mD$nQu_p#Q05Zqur{|0$!ja zMt@L{5f1uZ)Q|B$g2AUXmuv&{&Z~qW9O<0weZ-x21uQh>pieAiV$T{TZ_dRfFl(7Z zO#6s$B!v4*n*xikc1|R79xa~6f$-9m-$F0D3puZZ{^EWvUvavJh2VbH>#P}g zCZXBX{)_v9q0Ukd`kvhdD+$C?9{cnp*H5mL z9N~~$|iYZ0*%*f2swcsmRl`=0F7^g(gnl| zDg{*j#VKO73aSi0XezYcnoM(p%G|4qZ8uz+$htF|7c2Rmft) z35kT?5S!%h!suCgJpxAp2Z7elNEzE{AqPTfWApb< z!#^;pS!O3T(Lhut;Vi_+lNJ3==RdfE{?v@88%d3gdMMCUMp_+IW>}W8uQ~nU@UAge zxzJCNcJl8=W+qkx!%v+_6aXOAXbAe=-s4io9b?6xeC~L4YRh5#T&)*HXd5XM`DNjz zqiTu8$U^C{#eHMr;neO)4^;E~)&H3-lXkXyoEoxV)|w9nz|EDBZ`aji+r5vMcGz1Q zB&pC#xy_3!X7W*L9U#?zsT&|ArFqpcDzrxlH1O(Zh7kkqGlTQlbP)z&Y z|DnjL-`Y*i9He`bl{&GPV?gU0V5}8;3F%8J$B9f|e52SN>DK*K0U|b;hfyZUX=!+*H4(K$$I5p?i`jf95$Xf3_nwVP=j3LEVDC$ z@a|~)^0M}J&wPdO_ud>=K0Ntj4{oq852hL?_74$Tl;E=(fY=E^j}VgXj7KGMFr!_M zTQ3vRN>Dr#(xZ&%Fld&*Qk~4=(QuW%v@jwYj`XZ1fKLnDj%E17p*pnkF4RY^rq+c7 zIqLTk>d~@UY~~;l-R8q$oDieEGiv)I>#@HW!c}fK`cQ)yVN|iQLhVox=SeVgqhp;P z#H001B06wh=k^cDaUYSL(K~cakP~X+BkwQLcyCFTS-}Cdf0*;iuS0qjU^6zORO16)CQx?Bm1#YNQ?ai#bEGYJzB<1^@ z2Hf9{+S0ggLNUcY#rr9T_Tyi?)C(SciRI3C6kezrjH*dzVw*yH25 zD!lyK_&g!490igBcS6s!1Ve+YS+ZoA1LvU=0#n{Xnt{@x8xF`*S=4TTKN!7x=uVH0 z-Ag9O-`RAr5xtko_`)fJ^|gYj1$Gx*zj3gud+&_*03MOHCbF(j6S}e))oFi29L^70 z)_>RES`fEO5y6?Ug>HP`+|GMsjE<(8oD+3`nWI^a}6j1>53m}kLeYPy< zWuZ2#k43IRGY#!l^+Q&0Ae~Ho*w5qfBMq8*)%a3FNEtecN%>b?@G6f2{5`}>hBNOIL8+Q$9G-wpAU(PU zv5lOdYaWV)zQF><%w#_~Wdq`~Z>t|Xh|QOB-4BN)^;nckm@M+cbh-i#9CGxI0hmO? z{N*}r&1M&oR5n+RZ@56`%G)c zGnt6W(@b?(Zy-XKX%wuWAkoox8x0bUU|8T{M5uF~z~<6mpldjH2y6<6D$fcoqOD6F zE~0l9kBY8kJspt^mG}cNUxL^0sYtaT<4!n%-K*cGYYXN?QRw8b zRER+jrw^m%x|~KaNfoBrd$SvtXIYUC8nDAL(p0TqeO$k!87HeBRNivW&Ts50#Nk^L z5KPRPit{8{tt4lZC^Yg-raPy~C5CN*Ji`l#-#GC+Iu zxR)k|;cvGLq@V+wi~Df3S2?P0aJOcx*Ly4^WZ&}}UDiq_^Axy0>|;_Jg}Z)$mKcjvBGdUFnxo(r=o-W4gp zx^K*u>gLH|Q z{1>WgBiGqnkfW>jnXEWB!}YCwer6%e(P3$bBNy6+%K9Nu#{&RFrT<>g=(04#iO1LN zW`CQIc_EIl7rzk`q|`pXiW$p<@%#;SuaTKo`Q0EdTSka9+7BKA%`MF6q@m|k7A5p6 zut`>;76Q#$FAr1nTrW=?_8?t_0vFug2Zxms_=EkM)ud2Yt;5q5G2S6~l}Q)Cfjzy@(!#1rl6CJ;0}w5CM-jwBNDaIiOu@d z(KKfW^*ZZ=;$Tv!2}#VW6Vl;dA<{s9`;|pmcJ6DEgJ}-#ArL}`d<~HzGsp`CZM`Jq ze&2m7Y0&4dZg&Ms;60~+QTO%)7mwS#Mjv#mqa5x!PrgOpmHr+A za03Sa@c4a3f0~*Z2sL9K8%Jt<<;ZB)&pTj+Wh#-<|J6vICt2uC2m{jl?P*MCGeW+J zGp**j@Y6y+uNYoWFYmwwhRHHzBs3t^ckMSYkdfE$zDP9n?>r`x@6isZzwu!juXjnK z`siSvZHxMDSRM=)SHoybJ3V^=j1+V&f|q!Sx-WnHhM`)z@31Z%ccqFmN1r{0EJ%tY z;@)$eapq|JJV)332_$g!FyWYJY_OO3;7Kkn=_4Z_P+RQ%Y$F)t9s<}pp273xi%*eC z*8iDjzrkd6o5sq}K7Qh`)LT4E3RYbe1}Pv8lb7wSF0788J#!o0P^++Lnn8>uj%FBR^YHS zUDsojuEtLMv*E=Ds+S5+^eJ`Th>xiyE#x)ie(ip^yD-Ih*t}V5v3P#C-MWAL@B`v=!F8Ws+1}lj`KrY><=Nz~ zIQ^~PpThm0p1W@y$_C1IqePomU3Zi2+j7<*V4RZJ>Fb)dtPBtXZH=;2_o*NWo%e3Z^W=7o;K3Ke-=<8olCtDJx zN=sdPK{0(%l#N^V)z>-ODZht(qUDcEX=9FS|6jA{9PGy*LdP}Eq#o!JWd$tISXyU{B}6R4aKh)lfIF?CLqSo@+KRfS56RE$Z0H$jvff^S971p;e6~7VfVJQJ& zL2JPMB2ZZWM|q>asQl#w?MhVr7Ba*84>L*c?5ie|b@aq_^eQf`u7XsUfr~LOUY#g~ z-tE7aqz7)k58s$Dff2pIh;c#3u#})VL_1c$JnN@zRTe=GHbH}^ET9Z z14}P3#;pRW5DGXhTH!Q^KiT?8X6j}JQoKCec<$H#TY>a6UC19tA@@W2Vi>&M~&& z91VoCI^`VS)Sur9xhLsDemDvZ4NzU53;3_AOmc2e?_@7rSaQr$tAO9qL8uL!j14c? zuW}_phYh(X2B*g-M2IA?Q?Qg%n$fC)hG(~y*VZ>sbX#Pr7Dm93aX7R{VKH^AFL(dP#W8y$$QT8@znX;Ux3m+hr# zW9ga6>sxdnJwLKBSZ)cfVL8b=#g{M^{T4{dn(Q;ypZ&mY>Za~LI`AdW<{k%xxCf&DM;87w65SrWV_|NlllOOp2_ e`WN}^|5r-->`4#!pU7uP<(^~+_?~|wpZ!0=r3=9T diff --git a/Solutions/SentinelOne/Package/mainTemplate.json b/Solutions/SentinelOne/Package/mainTemplate.json index cb35fd8be01..3b9864bfca9 100644 --- a/Solutions/SentinelOne/Package/mainTemplate.json +++ b/Solutions/SentinelOne/Package/mainTemplate.json @@ -320,8 +320,6 @@ "isPreview": false }, "permissions": { - "tenant": null, - "licenses": null, "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", @@ -383,8 +381,7 @@ }, "type": "ConnectionToggleButton" } - ], - "innerSteps": null + ] } ], "isConnectivityCriteriasMatchSome": false @@ -2113,8 +2110,6 @@ "isPreview": false }, "permissions": { - "tenant": null, - "licenses": null, "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", @@ -2176,8 +2171,7 @@ }, "type": "ConnectionToggleButton" } - ], - "innerSteps": null + ] } ], "isConnectivityCriteriasMatchSome": false @@ -2774,7 +2768,7 @@ "displayName": "Parser for SentinelOne", "category": "Microsoft Sentinel Parser", "functionAlias": "SentinelOne", - "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n //DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n //NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n //data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n //networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n //DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n //NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n //DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n //NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n //DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n //NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", + "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n AlertInfo:string,\n type_s:string\n )[];\nlet SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo=tostring(AlertInfo),\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n IsUninstalled=column_ifexists('IsUninstalled',''),\n EncryptedApplications=column_ifexists('EncryptedApplications',''),\n OsStartTime=column_ifexists('OsStartTime',''),\n InRemoteShellSession=column_ifexists('InRemoteShellSession',''),\n ThreatRebootRequired=column_ifexists('ThreatRebootRequired',''),\n IsPendingUninstall=column_ifexists('IsPendingUninstall',''),\n IsUpToDate=column_ifexists('IsUpToDate',''),\n IsDecommissioned=column_ifexists('IsDecommissioned',''),\n IsActive=column_ifexists('IsActive',''),\n Infected=column_ifexists('Infected',''),\n AllowRemoteShell=column_ifexists('AllowRemoteShell',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -2839,7 +2833,7 @@ "displayName": "Parser for SentinelOne", "category": "Microsoft Sentinel Parser", "functionAlias": "SentinelOne", - "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n //DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n //NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n //data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n //networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n type_s:string\n )[];\n let SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n //DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n //NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n //DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo,\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n //NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n //DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n //NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", + "query": "let SentinelOne_view = view () { \nlet SentinelOneV2_Empty = datatable(\n AccountId:string,\n AccountName:string,\n ActivityType:real ,\n EventCreationTime:datetime,\n DataAccountName:string,\n DataFullScopeDetails:string,\n DataScopeLevel:string,\n DataScopeName:string,\n DataSiteId:int,\n SecondaryDescription:string ,\n DataSiteName:string,\n SourceProcessInfo:string,\n SrcUserName:string,\n EventId:string,\n EventOriginalMessage:string,\n SiteId:string,\n SiteName:string,\n UpdatedAt:datetime ,\n UserIdentity:string,\n EventType:string,\n DataByUser:string,\n DataRole:string,\n DataUserScope:string,\n EventTypeDetailed:string,\n DataSource:string,\n DataExpiryDateStr:string,\n DataExpiryTime:int,\n DataNetworkquarantine:bool,\n DataRuleCreationTime:int,\n DataRuleDescription:string,\n DataRuleExpirationMode:string,\n DataRuleId:int,\n DataRuleName:string,\n DataRuleQueryDetails:string,\n DataRuleQueryType:string,\n DataRuleSeverity:string,\n DataScopeId:int,\n DataStatus:string,\n DataSystemUser:int,\n DataTreatasthreat:string,\n DataUserId:int,\n RuleInfo:string,\n DataUserName:string,\n EventSubStatus:string,\n AgentId:string,\n DataComputerName:string,\n DataExternalIp:string,\n DataGroupName:string,\n DataSystem:bool,\n DataUuid:string,\n GroupId:string,\n GroupName:string,\n DataGroup:string,\n UserId:string ,\n DataOptionalGroups:string,\n DataCreatedAt:string,\n DataDownloadUrl:string,\n DataFilePath:string,\n DataFilename:string,\n DataUploadedFilename:string,\n Comments:string,\n DataNewValue:string,\n DataPolicyId:string,\n DataPolicyName:string,\n DataNewValueb:string,\n DataShouldReboot:bool,\n DataRoleName:string,\n DataScopeLevelName:string,\n ActiveDirectoryComputerDistinguishedName:string,\n ActiveDirectoryComputerMemberOf:string,\n ActiveDirectoryLastUserDistinguishedName:string,\n ActiveDirectoryLastUserMemberOf:string,\n ActiveThreats:int,\n AgentVersion:string,\n AllowRemoteShell:bool,\n AppsVulnerabilityStatus:string,\n ComputerName:string,\n ConsoleMigrationStatus:string,\n CoreCount:int,\n CpuCount:int,\n CpuId:string,\n SrcDvcDomain:string,\n EncryptedApplications:bool,\n ExternalId:string,\n ExternalIp:string,\n FirewallEnabled:bool,\n GroupIp:string,\n InRemoteShellSession:bool,\n Infected:bool,\n InstallerType:string,\n IsActive:bool,\n IsDecommissioned:bool,\n IsPendingUninstall:bool,\n IsUninstalled:bool,\n IsUpToDate:bool,\n LastActiveDate:string,\n TargetProcessInfo:string ,\n LastIpToMgmt:string,\n LastLoggedInUserName:string,\n LicenseKey:string,\n LocationEnabled:bool,\n LocationType:string,\n Locations:string,\n MachineType:string,\n MitigationMode:string,\n MitigationModeSuspicious:string,\n SrcDvcModelName:string,\n NetworkInterfaces:string,\n NetworkQuarantineEnabled:bool,\n NetworkStatus:string,\n OperationalState:string,\n OsArch:string,\n SrcDvcOs:string,\n OsRevision:string,\n OsStartTime:datetime ,\n OsType:string,\n RangerStatus:string,\n RangerVersion:string,\n RegisteredAt:string,\n RemoteProfilingState:string,\n ScanFinishedAt:string,\n ScanStartedAt:string,\n ScanStatus:string,\n ThreatRebootRequired:bool,\n TotalMemory:int,\n SourceParentProcessInfo:string ,\n UserActionsNeeded:string,\n Uuid:string,\n Creator:string,\n ContainerInfo:string,\n CreatorId:string,\n Inherits:string ,\n IsDefault:string ,\n Name:string,\n RegistrationToken:string,\n AlertInfo:string,\n PrimaryDescription:string ,\n TotalAgents:real ,\n CreatedAt:datetime ,\n Id:string,\n Type:string\n )[]; \n let SentinelOneV1_Empty = datatable (\n accountId_s:string,\n accountName_s:string,\n activityType_d:real,\n createdAt_t:datetime ,\n data_accountName_s:string,\n data_fullScopeDetails_s:string,\n data_scopeLevel_s:string,\n data_scopeName_s:string,\n data_siteId_d:int,\n data_siteName_s:string,\n data_username_s:string,\n id_s:string,\n primaryDescription_s:string,\n siteId_s:string,\n siteName_s:string,\n updatedAt_t:datetime ,\n userId_s:string,\n event_name_s:string,\n data_byUser_s:string,\n data_role_s:string,\n data_userScope_s:string,\n description_s:string,\n data_source_s:string,\n data_expiryDateStr_s:string,\n data_expiryTime_d:int,\n data_networkquarantine_b:bool,\n data_ruleCreationTime_d:int,\n data_ruleDescription_s:string,\n data_ruleExpirationMode_s:string,\n data_ruleId_d:int,\n data_ruleName_s:string,\n data_ruleQueryDetails_s:string,\n data_ruleQueryType_s:string,\n data_ruleSeverity_s:string,\n data_scopeId_d:int,\n data_status_s:string,\n data_systemUser_d:int,\n data_treatasthreat_s:string,\n data_userId_d:int,\n data_userName_s:string,\n secondaryDescription_s:string,\n agentId_s:string,\n data_computerName_s:string,\n data_externalIp_s:string,\n data_groupName_s:string,\n data_system_b:bool,\n data_uuid_g:string,\n groupId_s:string,\n groupName_s:string,\n data_group_s:string,\n data_optionalGroups_s:string,\n data_createdAt_t:string,\n data_downloadUrl_s:string,\n data_filePath_s:string,\n data_filename_s:string,\n data_uploadedFilename_s:string,\n comments_s:string,\n data_newValue_s:string,\n data_policy_id_s:string,\n data_policyName_s:string,\n data_newValue_b:bool,\n data_shouldReboot_b:bool,\n data_roleName_s:string,\n data_scopeLevelName_s:string,\n activeDirectory_computerDistinguishedName_s:string,\n activeDirectory_computerMemberOf_s:string,\n activeDirectory_lastUserDistinguishedName_s:string,\n activeDirectory_lastUserMemberOf_s:string,\n activeThreats_d:real,\n agentVersion_s:string,\n allowRemoteShell_b:bool,\n appsVulnerabilityStatus_s:string,\n computerName_s:string,\n consoleMigrationStatus_s:string,\n coreCount_d:real,\n cpuCount_d:real ,\n cpuId_s:string,\n domain_s:string,\n encryptedApplications_b:bool,\n externalId_s:string,\n externalIp_s:string,\n firewallEnabled_b:bool,\n groupIp_s:string,\n inRemoteShellSession_b:bool,\n infected_b:bool,\n installerType_s:string,\n isActive_b:bool,\n isDecommissioned_b:bool,\n isPendingUninstall_b:bool,\n isUninstalled_b:bool,\n isUpToDate_b:bool,\n lastActiveDate_t:string,\n lastIpToMgmt_s:string,\n lastLoggedInUserName_s:string,\n licenseKey_s:string,\n locationEnabled_b:bool,\n locationType_s:string,\n locations_s:string,\n machineType_s:string,\n mitigationMode_s:string,\n mitigationModeSuspicious_s:string,\n modelName_s:string,\n networkInterfaces_s:string,\n networkQuarantineEnabled_b:bool,\n networkStatus_s:string,\n operationalState_s:string,\n osArch_s:string,\n osName_s:string,\n osRevision_s:string,\n osStartTime_t:datetime ,\n osType_s:string,\n rangerStatus_s:string,\n rangerVersion_s:string,\n registeredAt_t:string,\n remoteProfilingState_s:string,\n scanFinishedAt_t:string,\n scanStartedAt_t:string,\n scanStatus_s:string,\n threatRebootRequired_b:bool,\n totalMemory_d:real ,\n userActionsNeeded_s:string,\n uuid_g:string,\n creator_s:string,\n creatorId_s:string,\n inherits_b:string ,\n isDefault_b:string ,\n name_s:string,\n registrationToken_s:string,\n totalAgents_d:real ,\n AlertInfo:string,\n type_s:string\n )[];\nlet SentinelOneV1Empty_Union= union isfuzzy=true SentinelOne_CL,SentinelOneV1_Empty\n | extend \n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n AccountId=column_ifexists('accountId_s', ''),\n AccountName=column_ifexists('accountName_s', ''),\n ActivityType=toreal(column_ifexists('activityType_d', '')),\n EventCreationTime=todatetime(column_ifexists('createdAt_t', 'CreatedAt')),\n DataAccountName=column_ifexists('data_accountName_s', ''),\n DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),\n DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),\n DataScopeName=column_ifexists('data_scopeName_s', ''),\n DataSiteId=column_ifexists('data_siteId_d', ''),\n DataSiteName=column_ifexists('data_siteName_s', ''),\n SrcUserName=column_ifexists('data_username_s', ''),\n EventId=column_ifexists('id_s', ''),\n EventOriginalMessage=column_ifexists('primaryDescription_s', ''),\n PrimaryDescription=column_ifexists('primaryDescription_s', ''),\n SiteId=column_ifexists('siteId_s', ''),\n SiteName=column_ifexists('siteName_s', ''),\n UpdatedAt=column_ifexists('updatedAt_t', ''),\n UserIdentity=column_ifexists('userId_s', ''),\n UserId=column_ifexists('userId_s', ''),\n EventType=column_ifexists('event_name_s', ''),\n DataByUser=column_ifexists('data_byUser_s', ''),\n DataRole=column_ifexists('data_role_s', ''),\n DataUserScope=column_ifexists('data_userScope_s', ''),\n EventTypeDetailed=column_ifexists('description_s', ''),\n DataSource=column_ifexists('data_source_s', ''),\n DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),\n DataExpiryTime=column_ifexists('data_expiryTime_d', ''),\n DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),\n DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),\n DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),\n DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),\n DataRuleId=column_ifexists('data_ruleId_d', ''),\n DataRuleName=column_ifexists('data_ruleName_s', ''),\n DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),\n DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),\n DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),\n DataScopeId=column_ifexists('data_scopeId_d', ''),\n Id=column_ifexists('id_s', ''),\n DataStatus=column_ifexists('data_status_s', ''),\n DataSystemUser=column_ifexists('data_systemUser_d', ''),\n DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),\n DataUserId=column_ifexists('data_userId_d', ''),\n DataUserName=column_ifexists('data_userName_s', ''),\n EventSubStatus=column_ifexists('secondaryDescription_s', ''),\n SecondaryDescription=column_ifexists('secondaryDescription_s', ''),\n AgentId=column_ifexists('agentId_s', ''),\n DataComputerName=column_ifexists('data_computerName_s', ''),\n DataExternalIp=column_ifexists('data_externalIp_s', ''),\n DataGroupName=column_ifexists('data_groupName_s', ''),\n DataSystem=column_ifexists('data_system_b', ''),\n DataUuid=column_ifexists('data_uuid_g', ''),\n GroupId=column_ifexists('groupId_s', ''),\n GroupName=column_ifexists('groupName_s', ''),\n DataGroup=column_ifexists('data_group_s', ''),\n DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),\n DataCreatedAt=column_ifexists('data_createdAt_t', ''),\n DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),\n DataFilePath=column_ifexists('data_filePath_s', ''),\n DataFilename=column_ifexists('data_filename_s', ''),\n DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),\n Comments=column_ifexists('comments_s', ''),\n DataNewValue=column_ifexists('data_newValue_s', ''),\n DataPolicyId=column_ifexists('data_policy_id_s', ''),\n DataPolicyName=column_ifexists('data_policyName_s', ''),\n DataNewValueb=column_ifexists('data_newValue_b', ''),\n DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),\n DataRoleName=column_ifexists('data_roleName_s', ''),\n DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),\n ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),\n ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),\n ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),\n ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),\n ActiveThreats=column_ifexists('activeThreats_d', ''),\n AgentVersion=column_ifexists('agentVersion_s', ''),\n AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),\n AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),\n ComputerName=column_ifexists('computerName_s', ''),\n ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),\n CoreCount=column_ifexists('coreCount_d', ''),\n CpuCount=column_ifexists('cpuCount_d', ''),\n CpuId=column_ifexists('cpuId_s', ''),\n SrcDvcDomain=column_ifexists('domain_s', ''),\n EncryptedApplications=column_ifexists('encryptedApplications_b', ''),\n ExternalId=column_ifexists('externalId_s', ''),\n ExternalIp=column_ifexists('externalIp_s', ''),\n FirewallEnabled=column_ifexists('firewallEnabled_b', ''),\n GroupIp=column_ifexists('groupIp_s', ''),\n InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),\n Infected=column_ifexists('infected_b', ''),\n InstallerType=column_ifexists('installerType_s', ''),\n IsActive=column_ifexists('isActive_b', ''),\n IsDecommissioned=column_ifexists('isDecommissioned_b', ''),\n IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),\n IsUninstalled=column_ifexists('isUninstalled_b', ''),\n IsUpToDate=column_ifexists('isUpToDate_b', ''),\n LastActiveDate=column_ifexists('lastActiveDate_t', ''),\n LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),\n LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),\n LicenseKey=column_ifexists('licenseKey_s', ''),\n LocationEnabled=column_ifexists('locationEnabled_b', ''),\n LocationType=column_ifexists('locationType_s', ''),\n Locations=column_ifexists('locations_s', ''),\n MachineType=column_ifexists('machineType_s', ''),\n MitigationMode=column_ifexists('mitigationMode_s', ''),\n MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),\n SrcDvcModelName=column_ifexists('modelName_s', ''),\n NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),\n NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),\n NetworkStatus=column_ifexists('networkStatus_s', ''),\n OperationalState=column_ifexists('operationalState_s', ''),\n OsArch=column_ifexists('osArch_s', ''),\n SrcDvcOs=column_ifexists('osName_s', ''),\n OsRevision=column_ifexists('osRevision_s', ''),\n OsStartTime=column_ifexists('osStartTime_t', ''),\n OsType=column_ifexists('osType_s', ''),\n RangerStatus=column_ifexists('rangerStatus_s', ''),\n RangerVersion=column_ifexists('rangerVersion_s', ''),\n RegisteredAt=column_ifexists('registeredAt_t', ''),\n RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),\n ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),\n ScanStartedAt=column_ifexists('scanStartedAt_t', ''),\n ScanStatus=column_ifexists('scanStatus_s', ''),\n ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),\n TotalMemory=column_ifexists('totalMemory_d', ''),\n UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),\n Uuid=column_ifexists('uuid_g', ''),\n Creator=column_ifexists('creator_s', ''),\n CreatedAt=column_ifexists('createdAt_t',''),\n CreatorId=column_ifexists('creatorId_s', ''),\n Inherits=column_ifexists('inherits_b', ''),\n IsDefault=column_ifexists('isDefault_b', ''),\n Name=column_ifexists('name_s', ''),\n RegistrationToken=column_ifexists('registrationToken_s', ''),\n TotalAgents=column_ifexists('totalAgents_d', ''),\n Type=column_ifexists('type_s', '');\n union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union\n | extend \n ActivityType,\n EventVendor=\"SentinelOne\",\n EventProduct=\"SentinelOne\",\n DataAccountName=tostring(parse_json(todynamic(Data)).accountName),\n DataFullScopeDetails=tostring(parse_json(todynamic(Data)).fullScopeDetails),\n DataScopeLevel=tostring(parse_json(todynamic(Data)).scopeLevel),\n DataScopeName=tostring(parse_json(todynamic(Data)).scopeName),\n DataSiteId=tostring(parse_json(todynamic(Data)).siteId),\n DataSiteName=tostring(parse_json(todynamic(Data)).siteName),\n SrcUserName=tostring(parse_json(todynamic(Data)).userName),\n EventId=Id,\n SourceParentProcessInfo,\n EventOriginalMessage=PrimaryDescription,\n UserIdentity=UserId,\n EventTypeDetailed=Description,\n DataRuleId=tostring(parse_json(todynamic(Data)).ruleId),\n DataRuleName=tostring(parse_json(todynamic(Data)).rulename),\n DataScopeId=tostring(parse_json(todynamic(Data)).scopeId),\n DataSystemUser=tostring(parse_json(todynamic(Data)).systemUser),\n DataUserId=tostring(parse_json(todynamic(Data)).userId),\n DataUserName=tostring(parse_json(todynamic(Data)).userName),\n EventSubStatus=SecondaryDescription,\n DataComputerName=tostring(parse_json(todynamic(Data)).computerName),\n DataExternalIp=tostring(parse_json(todynamic(Data)).externalIp),\n DataGroupName=tostring(parse_json(todynamic(Data)).groupName),\n DataStatus=tostring(parse_json(todynamic(Data)).status),\n DataByUser=tostring(parse_json(todynamic(Data)).byUser),\n DataRole=tostring(parse_json(todynamic(Data)).role),\n DataUserScope=tostring(parse_json(todynamic(Data)).userScope),\n DataSource=tostring(parse_json(todynamic(Data)).source),\n DataExpiryDateStr=tostring(parse_json(todynamic(Data)).expiryDateStr),\n DataExpiryTime=tostring(parse_json(todynamic(Data)).expiryTime),\n DataNetworkquarantine=tostring(parse_json(todynamic(Data)).networkquarantine),\n DataRuleCreationTime=tostring(parse_json(todynamic(Data)).ruleCreationTime),\n DataUuid=Uuid,\n DataGroup=tostring(parse_json(todynamic(Data)).group),\n DataRuleDescription=tostring(parse_json(todynamic(Data)).ruleDescription),\n EventType=tostring(parse_json(todynamic(AlertInfo)).eventType),\n DataRuleExpirationMode=tostring(parse_json(todynamic(Data)).ruleExpirationMode),\n DataRuleQueryDetails=tostring(parse_json(todynamic(Data)).ruleQueryDetails),\n DataRuleQueryType=tostring(parse_json(todynamic(Data)).ruleQueryType),\n DataRuleSeverity=tostring(parse_json(todynamic(Data)).ruleSeverity),\n DataSystem=tostring(parse_json(todynamic(Data)).system),\n DataOptionalGroups=tostring(parse_json(todynamic(Data)).optionalGroups),\n DataCreatedAt=tostring(parse_json(todynamic(Data)).createdAt),\n DataDownloadUrl=tostring(parse_json(todynamic(Data)).downloadUrl),\n DataFilePath=tostring(parse_json(todynamic(Data)).filePath),\n DataFilename=tostring(parse_json(todynamic(Data)).filename),\n DataUploadedFilename=tostring(parse_json(todynamic(Data)).uploadedFilename),\n DataNewValue=tostring(parse_json(todynamic(Data)).newValue),\n DataPolicyId=tostring(parse_json(todynamic(Data)).policyId),\n DataPolicyName=tostring(parse_json(todynamic(Data)).policyName),\n DataShouldReboot=tostring(parse_json(todynamic(Data)).shouldReboot),\n DataRoleName=tostring(parse_json(todynamic(Data)).roleName),\n DataScopeLevelName=tostring(parse_json(todynamic(Data)).scopeLevelName),\n ActiveDirectoryComputerDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).computerDistinguishedName),\n ActiveDirectoryComputerMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).computerMemberOf),\n ActiveDirectoryLastUserDistinguishedName=tostring(parse_json(todynamic(ActiveDirectory)).lastUserDistinguishedName),\n ActiveDirectoryLastUserMemberOf=tostring(parse_json(todynamic(ActiveDirectory)).lastUserMemberOf),\n SrcDvcDomain=Domain,\n AlertInfo=tostring(AlertInfo),\n FirewallEnabled=column_ifexists('FirewallEnabled',''),\n IsUninstalled=column_ifexists('IsUninstalled',''),\n EncryptedApplications=column_ifexists('EncryptedApplications',''),\n OsStartTime=column_ifexists('OsStartTime',''),\n InRemoteShellSession=column_ifexists('InRemoteShellSession',''),\n ThreatRebootRequired=column_ifexists('ThreatRebootRequired',''),\n IsPendingUninstall=column_ifexists('IsPendingUninstall',''),\n IsUpToDate=column_ifexists('IsUpToDate',''),\n IsDecommissioned=column_ifexists('IsDecommissioned',''),\n IsActive=column_ifexists('IsActive',''),\n Infected=column_ifexists('Infected',''),\n AllowRemoteShell=column_ifexists('AllowRemoteShell',''),\n LocationEnabled=column_ifexists('LocationEnabled',''),\n SrcDvcModelName=ModelName,\n NetworkQuarantineEnabled=column_ifexists('NetworkQuarantineEnabled',''),\n SrcDvcOs=OsName,\n SourceProcessInfo,\n RuleInfo,\n TargetProcessInfo,\n ContainerInfo,\n EventCreationTime=CreatedAt,\n RemoteProfilingState=column_ifexists('RemoteProfilingState','')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n AccountName,\n SourceParentProcessInfo,\n TargetProcessInfo,\n ActivityType,\n EventCreationTime,\n DataAccountName,\n DataFullScopeDetails,\n DataScopeLevel,\n DataScopeName,\n DataSiteId,\n SourceProcessInfo,\n DataSiteName,\n SrcUserName,\n EventId,\n EventOriginalMessage,\n SiteId,\n SiteName,\n UpdatedAt,\n UserIdentity,\n EventType,\n DataByUser,\n DataRole,\n DataUserScope,\n EventTypeDetailed,\n DataSource,\n DataExpiryDateStr,\n DataExpiryTime,\n DataNetworkquarantine,\n DataRuleCreationTime,\n DataRuleDescription,\n DataRuleExpirationMode,\n DataRuleId,\n DataRuleName,\n DataRuleQueryDetails,\n DataRuleQueryType,\n DataRuleSeverity,\n DataScopeId,\n DataStatus,\n DataSystemUser,\n DataTreatasthreat,\n DataUserId,\n DataUserName,\n EventSubStatus,\n AgentId,\n DataComputerName,\n DataExternalIp,\n DataGroupName,\n DataSystem,\n DataUuid,\n GroupId,\n GroupName,\n DataGroup,\n DataOptionalGroups,\n DataCreatedAt,\n DataDownloadUrl,\n DataFilePath,\n DataFilename,\n DataUploadedFilename,\n Comments,\n DataNewValue,\n DataPolicyId,\n DataPolicyName,\n DataNewValueb,\n DataShouldReboot,\n DataRoleName,\n DataScopeLevelName,\n ActiveDirectoryComputerDistinguishedName,\n ActiveDirectoryComputerMemberOf,\n ActiveDirectoryLastUserDistinguishedName,\n ActiveDirectoryLastUserMemberOf,\n ActiveThreats=toreal(activeThreats_d),\n AgentVersion,\n AllowRemoteShell,\n AppsVulnerabilityStatus,\n ComputerName,\n ConsoleMigrationStatus,\n CoreCount=toreal(coreCount_d),\n CpuCount=toreal(cpuCount_d),\n CpuId,\n SrcDvcDomain,\n EncryptedApplications,\n ExternalId,\n ExternalIp,\n FirewallEnabled,\n GroupIp,\n InRemoteShellSession,\n Infected,\n InstallerType,\n IsActive,\n IsDecommissioned,\n IsPendingUninstall,\n IsUninstalled,\n IsUpToDate,\n LastActiveDate=tostring(LastActiveDate_datetime),\n LastIpToMgmt,\n LastLoggedInUserName,\n LicenseKey,\n LocationEnabled,\n LocationType,\n Locations,\n MachineType,\n MitigationMode,\n MitigationModeSuspicious,\n SrcDvcModelName,\n NetworkInterfaces,\n NetworkQuarantineEnabled,\n NetworkStatus,\n OperationalState,\n OsArch,\n SrcDvcOs,\n OsRevision,\n OsStartTime,\n OsType,\n RangerStatus,\n RangerVersion,\n RegisteredAt=tostring(RegisteredAt_datetime),\n RemoteProfilingState,\n ScanFinishedAt=tostring(ScanFinishedAt_datetime),\n ScanStartedAt=tostring(ScanStartedAt_datetime),\n ScanStatus,\n ThreatRebootRequired,\n TotalMemory=toreal(totalMemory_d),\n UserActionsNeeded,\n Uuid,\n Creator,\n CreatorId,\n Inherits,\n IsDefault,\n Name,\n AlertInfo,\n RuleInfo,\n ContainerInfo,\n RegistrationToken,\n TotalAgents=totalAgents_d,\n Type;\n };\n SentinelOne_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -2934,8 +2928,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -2943,8 +2937,8 @@ { "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ], "entityType": "IP" @@ -3047,8 +3041,8 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } ], "entityType": "Host" @@ -3151,8 +3145,8 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } ], "entityType": "Host" @@ -3255,8 +3249,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -3264,12 +3258,12 @@ { "fieldMappings": [ { - "columnName": "HashCustomEntity", - "identifier": "Value" + "identifier": "Value", + "columnName": "HashCustomEntity" }, { - "columnName": "HashAlgorithmCustomEntity", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "HashAlgorithmCustomEntity" } ], "entityType": "FileHash" @@ -3372,8 +3366,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -3476,8 +3470,8 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } ], "entityType": "Host" @@ -3580,8 +3574,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -3684,8 +3678,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -3788,8 +3782,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -3894,8 +3888,8 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } ], "entityType": "Host" @@ -3998,8 +3992,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -4007,8 +4001,8 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } ], "entityType": "Host" @@ -5065,7 +5059,7 @@ } ] }, - "firstPublishDate": "2022-04-01", + "firstPublishDate": "2024-11-26", "providers": [ "SentinelOne" ], diff --git a/Solutions/SentinelOne/ReleaseNotes.md b/Solutions/SentinelOne/ReleaseNotes.md index 2d0889dff63..712edb3797c 100644 --- a/Solutions/SentinelOne/ReleaseNotes.md +++ b/Solutions/SentinelOne/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.0.2 | 11-09-2024 | Updated the python runtime version to 3.11 | -| 3.0.1 | 03-05-2024 | Repackaged for parser issue fix | +| 3.0.3 | 12-12-2024 | Added new CCP **Data Connector** and Updated **Parser** | +| 3.0.2 | 11-09-2024 | Updated the python runtime version to 3.11 in **Data Connector** Function App | +| 3.0.1 | 03-05-2024 | Repackaged for **Parser** issue fix | | 3.0.0 | 28-07-2023 | Bug fixes in API version. |